Potential Credential Dumping Activity Via LSASS

Detects process access requests to the LSASS process with specific call trace calls and access masks. This behaviour is expressed by many credential dumping tools such as Mimikatz, NanoDump, Invoke-Mimikatz, Procdump and even the Taskmgr dumping feature.

Sigma rule (View on GitHub)

 1title: Potential Credential Dumping Activity Via LSASS
 2id: 5ef9853e-4d0e-4a70-846f-a9ca37d876da
 3status: experimental
 4description: |
 5    Detects process access requests to the LSASS process with specific call trace calls and access masks.
 6    This behaviour is expressed by many credential dumping tools such as Mimikatz, NanoDump, Invoke-Mimikatz, Procdump and even the Taskmgr dumping feature.    
 7references:
 8    - https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html
 9    - https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
10    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.001/T1003.001.md
11    - https://research.splunk.com/endpoint/windows_possible_credential_dumping/
12author: Samir Bousseaden, Michael Haag
13date: 2019/04/03
14modified: 2023/12/13
15tags:
16    - attack.credential_access
17    - attack.t1003.001
18    - attack.s0002
19logsource:
20    category: process_access
21    product: windows
22detection:
23    selection:
24        TargetImage|endswith: '\lsass.exe'
25        GrantedAccess|contains:
26            - '0x1000'
27            - '0x1038'
28            - '0x1438'
29            - '0x143a'
30            - '0x1fffff' # Too many false positives
31            # - '0x01000'  # Too many false positives
32            # - '0x1010'   # Too many false positives
33            # - '0x1400'  # Too many false positives
34            # - '0x1410' # Too many false positives
35            # - '0x40'   # Too many false positives
36        CallTrace|contains:
37            - 'dbgcore.dll'
38            - 'dbghelp.dll'
39            - 'kernel32.dll'
40            - 'kernelbase.dll'
41            - 'ntdll.dll'
42    filter_main_system_user:
43        SourceUser|contains: # Covers many language settings
44            - 'AUTHORI'
45            - 'AUTORI'
46    filter_optional_thor:
47        CallTrace|contains|all:
48            - ':\Windows\Temp\asgard2-agent\'
49            - '\thor\thor64.exe+'
50            - '|UNKNOWN('
51        GrantedAccess: '0x103800'
52    filter_optional_sysmon:
53        SourceImage|endswith: ':\Windows\Sysmon64.exe'
54    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
55falsepositives:
56    - Unknown
57level: medium

References

Related rules

to-top