From 51d50b7d8a7dc9276e76077ef3b8725d35545389 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Mon, 3 Apr 2023 14:34:30 +0100 Subject: [PATCH] [New Rule] Lsass Process Access - Generic (#2613) * Create credential_access_lsass_openprocess_api.toml * Update credential_access_lsass_openprocess_api.toml * Update credential_access_lsass_openprocess_api.toml * Update non-ecs-schema.json * Update rules/windows/credential_access_lsass_openprocess_api.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update rules/windows/credential_access_lsass_openprocess_api.toml Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> * Update rules/windows/credential_access_lsass_openprocess_api.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update rules/windows/credential_access_lsass_openprocess_api.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/credential_access_lsass_openprocess_api.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/credential_access_lsass_openprocess_api.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update credential_access_lsass_openprocess_api.toml * Update non-ecs-schema.json --------- Co-authored-by: Mika Ayenson Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> --- detection_rules/etc/non-ecs-schema.json | 4 +- ...edential_access_lsass_openprocess_api.toml | 49 +++++++++++++++++++ 2 files changed, 52 insertions(+), 1 deletion(-) create mode 100644 rules/windows/credential_access_lsass_openprocess_api.toml diff --git a/detection_rules/etc/non-ecs-schema.json b/detection_rules/etc/non-ecs-schema.json index 4ed8867fd..e331f921d 100644 --- a/detection_rules/etc/non-ecs-schema.json +++ b/detection_rules/etc/non-ecs-schema.json @@ -73,7 +73,9 @@ "dll.Ext.relative_file_creation_time": "double", "dll.Ext.relative_file_name_modify_time": "double", "process.Ext.relative_file_name_modify_time": "double", - "process.Ext.relative_file_creation_time": "double" + "process.Ext.relative_file_creation_time": "double", + "Target.process.name": "keyword", + "process.Ext.api.name": "keyword" }, "logs-windows.*": { "powershell.file.script_block_text": "text" diff --git a/rules/windows/credential_access_lsass_openprocess_api.toml b/rules/windows/credential_access_lsass_openprocess_api.toml new file mode 100644 index 000000000..3a78a013d --- /dev/null +++ b/rules/windows/credential_access_lsass_openprocess_api.toml @@ -0,0 +1,49 @@ +[metadata] +creation_date = "2023/03/02" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: Lsass access events added in Elastic Endpoint 8.7." +min_stack_version = "8.7.0" +updated_date = "2023/03/02" + +[rule] +author = ["Elastic"] +description = """ +Identifies access attempts to the LSASS handle, which may indicate an attempt to dump credentials from LSASS memory. +""" +from = "now-9m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "LSASS Process Access via Windows API" +references = ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"] +risk_score = 47 +rule_id = "ff4599cb-409f-4910-a239-52e4e6f532ff" +severity = "medium" +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +api where host.os.type == "windows" and + process.Ext.api.name in ("OpenProcess", "OpenThread") and Target.process.name : "lsass.exe" +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1003" +name = "OS Credential Dumping" +reference = "https://attack.mitre.org/techniques/T1003/" +[[rule.threat.technique.subtechnique]] +id = "T1003.001" +name = "LSASS Memory" +reference = "https://attack.mitre.org/techniques/T1003/001/" + + + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/"