Potential Credential Dumping Via LSASS Process Clone
Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity
Sigma rule (View on GitHub)
1title: Potential Credential Dumping Via LSASS Process Clone
2id: c8da0dfd-4ed0-4b68-962d-13c9c884384e
3status: test
4description: Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity
5references:
6 - https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/
7 - https://twitter.com/Hexacorn/status/1420053502554951689
8 - https://twitter.com/SBousseaden/status/1464566846594691073?s=20
9author: Florian Roth (Nextron Systems), Samir Bousseaden
10date: 2021/11/27
11modified: 2023/03/02
12tags:
13 - attack.credential_access
14 - attack.t1003
15 - attack.t1003.001
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection:
21 ParentImage|endswith: '\Windows\System32\lsass.exe'
22 Image|endswith: '\Windows\System32\lsass.exe'
23 condition: selection
24falsepositives:
25 - Unknown
26level: critical
References
-
Intro Recently, I became rather intrigued after reading thisarticle from MSTIC about how Windows Defender Advanced Threat Protection (WDATP) is supposed to detect credential dumping by statistically probing the amount of data read from the LSASS process. A little background is first necessary, though: on a host guarded by WDATP, when a standard credential-dumper such as mimikatz is executed, it should trigger an alert like the following one. This alert is, in all likelihood, triggered as a result of mimikatz employing MiniDumpWriteDumpwhen trying accessing the LSASS process, which in turn uses ReadProcessMemoryas a means of copying data from one process address space to another one.
Read More
Related rules
- Antivirus Password Dumper Detection
- Mimikatz Command Line With Ticket Export
- LSASS Dump Keyword In CommandLine
- Possible Impacket Secretsdump.py Activity
- Suspicious Hacktool Execution - Imphash