Potential Credential Dumping Via LSASS Process Clone

calendar Sep 7, 2023 · attack.credential_access attack.t1003 attack.t1003.001  ·
Share on: linkedin copy

Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity

Sigma rule (View on GitHub)

 1title: Potential Credential Dumping Via LSASS Process Clone
 2id: c8da0dfd-4ed0-4b68-962d-13c9c884384e
 3status: test
 4description: Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity
 5references:
 6    - https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/
 7    - https://twitter.com/Hexacorn/status/1420053502554951689
 8    - https://twitter.com/SBousseaden/status/1464566846594691073?s=20
 9author: Florian Roth (Nextron Systems), Samir Bousseaden
10date: 2021/11/27
11modified: 2023/03/02
12tags:
13    - attack.credential_access
14    - attack.t1003
15    - attack.t1003.001
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection:
21        ParentImage|endswith: '\Windows\System32\lsass.exe'
22        Image|endswith: '\Windows\System32\lsass.exe'
23    condition: selection
24falsepositives:
25    - Unknown
26level: critical

References

  • Evading WinDefender ATP credential-theft: a hit after a hit-and-miss start :: — uf0

    Intro Recently, I became rather intrigued after reading thisarticle from MSTIC about how Windows Defender Advanced Threat Protection (WDATP) is supposed to detect credential dumping by statistically probing the amount of data read from the LSASS process. A little background is first necessary, though: on a host guarded by WDATP, when a standard credential-dumper such as mimikatz is executed, it should trigger an alert like the following one. This alert is, in all likelihood, triggered as a result of mimikatz employing MiniDumpWriteDumpwhen trying accessing the LSASS process, which in turn uses ReadProcessMemoryas a means of copying data from one process address space to another one.


    Read More

  • Something went wrong, but don’t fret — let’s give it another shot.


    Read More

  • Something went wrong, but don’t fret — let’s give it another shot.


    Read More

Related rules

to-top