[New Rule] Potential LSASS Memory Dump via PssCaptureSnapShot (#1550)
* [New Rule] Potential LSASS Memory Dump via PssCaptureSnapShot
* Update credential_access_suspicious_lsass_access_via_snapshot.toml
* lint
* Update etc/non-ecs-schema.json
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
* Update rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
* moved FP txt to Note.
* Update rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
* Update rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
* Update rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
* Update etc/non-ecs-schema.json
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
* fix json
* Update credential_access_suspicious_lsass_access_via_snapshot.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
(cherry picked from commit e99478db00)
This commit is contained in:
Samirbous
committed by
github-actions[bot]
github-actions[bot]
parent
2e067562f1
commit
33f13e25be
@@ -0,0 +1,69 @@
|
||||
[metadata]
|
||||
creation_date = "2021/10/14"
|
||||
updated_date = "2021/10/14"
|
||||
maturity = "production"
|
||||
min_stack_version = "7.14.0"
|
||||
min_stack_comments = "Cardinality field not added to threshold rule type until 7.14."
|
||||
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
Identifies suspicious access to an LSASS handle via PssCaptureSnapShot where two successive process access are performed
|
||||
by the same process and targeting two different instances of LSASS. This may indicate an attempt to evade detection and
|
||||
dump LSASS memory for credential access.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["winlogbeat-*", "logs-windows.*"]
|
||||
language = "kuery"
|
||||
license = "Elastic License v2"
|
||||
name = "Potential LSASS Memory Dump via PssCaptureSnapShot"
|
||||
note = """## Config
|
||||
|
||||
This is meant to run only on datasources using agents v7.14+ since versions prior to that will be missing the threshold
|
||||
rule cardinality feature."""
|
||||
references = [
|
||||
"https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/",
|
||||
"https://twitter.com/sbousseaden/status/1280619931516747777?lang=en",
|
||||
]
|
||||
risk_score = 73
|
||||
rule_id = "0f93cb9a-1931-48c2-8cd0-f173fd3e5283"
|
||||
severity = "high"
|
||||
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "threshold"
|
||||
|
||||
query = '''
|
||||
event.category:process and event.code:10 and
|
||||
winlog.event_data.TargetImage:("C:\\Windows\\system32\\lsass.exe" or
|
||||
"c:\\Windows\\system32\\lsass.exe" or
|
||||
"c:\\Windows\\System32\\lsass.exe")
|
||||
'''
|
||||
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
name = "OS Credential Dumping"
|
||||
id = "T1003"
|
||||
reference = "https://attack.mitre.org/techniques/T1003/"
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
name = "LSASS Memory"
|
||||
id = "T1003.001"
|
||||
reference = "https://attack.mitre.org/techniques/T1003/001/"
|
||||
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
name = "Credential Access"
|
||||
id = "TA0006"
|
||||
reference = "https://attack.mitre.org/tactics/TA0006/"
|
||||
|
||||
[rule.threshold]
|
||||
field = ["process.entity_id"]
|
||||
value = 2
|
||||
[[rule.threshold.cardinality]]
|
||||
field = "winlog.event_data.TargetProcessId"
|
||||
value = 2
|
||||
|
||||
|
||||
Reference in New Issue
Block a user