From 2f3519d882ebd0e32db4759f0148d9871eb18275 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Wed, 17 Nov 2021 08:45:38 +0100 Subject: [PATCH] [New Rule] Potential LSASS Memory Dump via PssCaptureSnapShot (#1550) * [New Rule] Potential LSASS Memory Dump via PssCaptureSnapShot * Update credential_access_suspicious_lsass_access_via_snapshot.toml * lint * Update etc/non-ecs-schema.json Co-authored-by: Jonhnathan * Update rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml Co-authored-by: Jonhnathan * moved FP txt to Note. * Update rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml Co-authored-by: Justin Ibarra * Update rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml Co-authored-by: Justin Ibarra * Update rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml Co-authored-by: Justin Ibarra * Update etc/non-ecs-schema.json Co-authored-by: Justin Ibarra * fix json * Update credential_access_suspicious_lsass_access_via_snapshot.toml Co-authored-by: Jonhnathan Co-authored-by: Justin Ibarra (cherry picked from commit e99478db007397595213847188dfffde07737df3) --- ..._suspicious_lsass_access_via_snapshot.toml | 69 +++++++++++++++++++ 1 file changed, 69 insertions(+) create mode 100644 rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml diff --git a/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml b/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml new file mode 100644 index 000000000..b9d5033ac --- /dev/null +++ b/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml @@ -0,0 +1,69 @@ +[metadata] +creation_date = "2021/10/14" +updated_date = "2021/10/14" +maturity = "production" +min_stack_version = "7.14.0" +min_stack_comments = "Cardinality field not added to threshold rule type until 7.14." + + +[rule] +author = ["Elastic"] +description = """ +Identifies suspicious access to an LSASS handle via PssCaptureSnapShot where two successive process access are performed +by the same process and targeting two different instances of LSASS. This may indicate an attempt to evade detection and +dump LSASS memory for credential access. +""" +from = "now-9m" +index = ["winlogbeat-*", "logs-windows.*"] +language = "kuery" +license = "Elastic License v2" +name = "Potential LSASS Memory Dump via PssCaptureSnapShot" +note = """## Config + +This is meant to run only on datasources using agents v7.14+ since versions prior to that will be missing the threshold +rule cardinality feature.""" +references = [ + "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", + "https://twitter.com/sbousseaden/status/1280619931516747777?lang=en", +] +risk_score = 73 +rule_id = "0f93cb9a-1931-48c2-8cd0-f173fd3e5283" +severity = "high" +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"] +timestamp_override = "event.ingested" +type = "threshold" + +query = ''' +event.category:process and event.code:10 and + winlog.event_data.TargetImage:("C:\\Windows\\system32\\lsass.exe" or + "c:\\Windows\\system32\\lsass.exe" or + "c:\\Windows\\System32\\lsass.exe") +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +name = "OS Credential Dumping" +id = "T1003" +reference = "https://attack.mitre.org/techniques/T1003/" +[[rule.threat.technique.subtechnique]] +name = "LSASS Memory" +id = "T1003.001" +reference = "https://attack.mitre.org/techniques/T1003/001/" + + + +[rule.threat.tactic] +name = "Credential Access" +id = "TA0006" +reference = "https://attack.mitre.org/tactics/TA0006/" + +[rule.threshold] +field = ["process.entity_id"] +value = 2 +[[rule.threshold.cardinality]] +field = "winlog.event_data.TargetProcessId" +value = 2 + +