Potential Credential Dumping Activity Via LSASS

 1title: Potential Credential Dumping Activity Via LSASS
 2id: 5ef9853e-4d0e-4a70-846f-a9ca37d876da
 3status: experimental
 4description: |
 5    Detects process access requests to the LSASS process with specific call trace calls and access masks.
 6    This behaviour is expressed by many credential dumping tools such as Mimikatz, NanoDump, Invoke-Mimikatz, Procdump and even the Taskmgr dumping feature.    
 7references:
 8    - https://web.archive.org/web/20230329170326/https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html
 9    - https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
10    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.001/T1003.001.md
11    - https://research.splunk.com/endpoint/windows_possible_credential_dumping/
12author: Samir Bousseaden, Michael Haag
13date: 2019-04-03
14modified: 2024-03-02
15tags:
16    - attack.credential-access
17    - attack.t1003.001
18    - attack.s0002
19logsource:
20    category: process_access
21    product: windows
22detection:
23    selection:
24        TargetImage|endswith: '\lsass.exe'
25        GrantedAccess|contains:
26            - '0x1038'
27            - '0x1438'
28            - '0x143a'
29            - '0x1fffff' # Too many false positives
30            # - '0x01000'  # Too many false positives
31            # - '0x1010'   # Too many false positives
32            # - '0x1400'  # Too many false positives
33            # - '0x1410' # Too many false positives
34            # - '0x40'   # Too many false positives
35        CallTrace|contains:
36            - 'dbgcore.dll'
37            - 'dbghelp.dll'
38            - 'kernel32.dll'
39            - 'kernelbase.dll'
40            - 'ntdll.dll'
41    filter_main_system_user:
42        SourceUser|contains: # Covers many language settings
43            - 'AUTHORI'
44            - 'AUTORI'
45    filter_optional_thor:
46        CallTrace|contains|all:
47            - ':\Windows\Temp\asgard2-agent\'
48            - '\thor\thor64.exe+'
49            - '|UNKNOWN('
50        GrantedAccess: '0x103800'
51    filter_optional_sysmon:
52        SourceImage|endswith: ':\Windows\Sysmon64.exe'
53    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
54falsepositives:
55    - Unknown
56level: medium

References

• Threat Hunting #19 - Procdump or Taskmgr - memory dump

  

  Dumping lsass.exe process memory using procmon.exe or taskmgr.exe (both are signed and trusted microsoft utilities) and then extracting secr...

  
  Read More

• Chronicles of a Threat Hunter: Hunting for In-Memory Mimikatz with Sysmon and ELK - Part II (Event ID 10)

  

  In part I of Hunting for In-Memory Mimikatz with Sysmon and ELK, I talked about focusing on specific Windows DLLs that Mimikatz sti...

  
  Read More

• atomic-red-team/atomics/T1003.001/T1003.001.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

  

  Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

  
  Read More

• https://research.splunk.com/endpoint/windows_possible_credential_dumping/

  
  Read More

Related rules

• Credential Dumping Attempt Via WerFault
• LSASS Access From Potentially White-Listed Processes
• LSASS Memory Access by Tool With Dump Keyword In Name
• Mimikatz Use
• Remote LSASS Process Access Through Windows Remote Management