[New Rule] Potential Lsass Memory Dump via MirrorDump (#1504)
* [New Rule] Potential Lsass Memory Dump via MirrorDump
* added tactic
* switched to kql
* added sysmon process access non ecs types
* Update rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
* Update rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
* rule.name as suggested by Justin and converted to EQL to add comments
* Update rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
* Update rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
(cherry picked from commit 521e4dc8f1)
This commit is contained in:
Samirbous
committed by
github-actions[bot]
github-actions[bot]
parent
09f49da822
commit
6f30bf3f7f
@@ -8,7 +8,9 @@
|
||||
}
|
||||
},
|
||||
"winlogbeat-*": {
|
||||
"winlog.event_data.OriginalFileName": "keyword"
|
||||
"winlog.event_data.OriginalFileName": "keyword",
|
||||
"winlog.event_data.GrantedAccess": "keyword",
|
||||
"winlog.event_data.CallTrace": "keyword"
|
||||
},
|
||||
"filebeat-*": {
|
||||
"o365.audit.NewValue": "keyword"
|
||||
|
||||
@@ -0,0 +1,52 @@
|
||||
[metadata]
|
||||
creation_date = "2021/09/27"
|
||||
maturity = "production"
|
||||
updated_date = "2021/09/27"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
Identifies suspicious access to an LSASS handle via DuplicateHandle from an unknown call trace module.
|
||||
This may indicate an attempt to bypass the NtOpenProcess API to evade detection and dump Lsass memory
|
||||
for credential access.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["winlogbeat-*", "logs-windows.*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Potential Credential Access via DuplicateHandle in LSASS"
|
||||
references = ["https://github.com/CCob/MirrorDump"]
|
||||
risk_score = 47
|
||||
rule_id = "02a4576a-7480-4284-9327-548a806b5e48"
|
||||
severity = "medium"
|
||||
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
query = '''
|
||||
process where event.code == "10" and
|
||||
|
||||
/* LSASS requesting DuplicateHandle access right to another process */
|
||||
process.name : "lsass.exe" and winlog.event_data.GrantedAccess == "0x40" and
|
||||
|
||||
/* call is coming from an unknown executable region */
|
||||
winlog.event_data.CallTrace : "*UNKNOWN*"
|
||||
'''
|
||||
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
id = "T1003"
|
||||
name = "OS Credential Dumping"
|
||||
reference = "https://attack.mitre.org/techniques/T1003/"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
name = "LSASS Memory"
|
||||
id = "T1003.001"
|
||||
reference = "https://attack.mitre.org/techniques/T1003/001/"
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0006"
|
||||
name = "Credential Access"
|
||||
reference = "https://attack.mitre.org/tactics/TA0006/"
|
||||
Reference in New Issue
Block a user