[New Rule] Potential Credential Access via LSASS Memory Dump (#1533)

* [New Rule] Potential Credential Access via LSASS Memory Dump

* Update credential_access_suspicious_lsass_access_memdump.toml

* fix typo in calltrace and event.code type

* Update rules/windows/credential_access_suspicious_lsass_access_memdump.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update credential_access_suspicious_lsass_access_memdump.toml

* added TargetImage to non ecs schema

* Update non-ecs-schema.json

* format

* Update credential_access_suspicious_lsass_access_memdump.toml

* Update credential_access_suspicious_lsass_access_memdump.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

(cherry picked from commit c18c08a976)

etc/non-ecs-schema.json

@@ -11,6 +11,7 @@
     "winlog.event_data.OriginalFileName": "keyword",
     "winlog.event_data.GrantedAccess": "keyword",
     "winlog.event_data.CallTrace": "keyword",
+    "winlog.event_data.TargetImage": "keyword",
     "powershell.file.script_block_text": "text"
   },
   "filebeat-*": {
@@ -18,7 +19,7 @@
   },
   "logs-endpoint.events.*": {
     "process.Ext.token.integrity_level_name": "keyword",
-	  "process.parent.Ext.real.pid": "long"
+    "process.parent.Ext.real.pid": "long"
   },
   "logs-windows.*": {
     "powershell.file.script_block_text": "text"

rules/windows/credential_access_suspicious_lsass_access_memdump.toml

@@ -0,0 +1,52 @@
+[metadata]
+creation_date = "2021/10/07"
+maturity = "production"
+updated_date = "2021/10/07"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies suspicious access to LSASS handle from a call trace pointing to DBGHelp.dll or DBGCore.dll, which both export
+the MiniDumpWriteDump method that can be used to dump LSASS memory content in preperation for credential access.
+"""
+from = "now-9m"
+index = ["winlogbeat-*", "logs-windows.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Potential Credential Access via LSASS Memory Dump"
+references = ["https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz"]
+risk_score = 73
+rule_id = "9960432d-9b26-409f-972b-839a959e79e2"
+severity = "high"
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+process where event.code == "10" and
+  winlog.event_data.TargetImage : "?:\\WINDOWS\\system32\\lsass.exe" and
+  
+   /* DLLs exporting MiniDumpWriteDump API to create an lsass mdmp*/
+  winlog.event_data.CallTrace : ("*dbhelp*", "*dbgcore*") and
+  
+   /* case of lsass crashing */
+  not process.executable : ("?:\\Windows\\System32\\WerFault.exe", "?:\\Windows\\System32\\WerFaultSecure.exe")
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1003"
+name = "OS Credential Dumping"
+reference = "https://attack.mitre.org/techniques/T1003/"
+
+  [[rule.threat.technique.subtechnique]]
+  name = "LSASS Memory"
+  id = "T1003.001"
+  reference = "https://attack.mitre.org/techniques/T1003/001/"
+
+[rule.threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"