diff --git a/etc/non-ecs-schema.json b/etc/non-ecs-schema.json index 927117291..671980813 100644 --- a/etc/non-ecs-schema.json +++ b/etc/non-ecs-schema.json @@ -11,6 +11,7 @@ "winlog.event_data.OriginalFileName": "keyword", "winlog.event_data.GrantedAccess": "keyword", "winlog.event_data.CallTrace": "keyword", + "winlog.event_data.TargetImage": "keyword", "powershell.file.script_block_text": "text" }, "filebeat-*": { @@ -18,7 +19,7 @@ }, "logs-endpoint.events.*": { "process.Ext.token.integrity_level_name": "keyword", - "process.parent.Ext.real.pid": "long" + "process.parent.Ext.real.pid": "long" }, "logs-windows.*": { "powershell.file.script_block_text": "text" diff --git a/rules/windows/credential_access_suspicious_lsass_access_memdump.toml b/rules/windows/credential_access_suspicious_lsass_access_memdump.toml new file mode 100644 index 000000000..f403e2ad6 --- /dev/null +++ b/rules/windows/credential_access_suspicious_lsass_access_memdump.toml @@ -0,0 +1,52 @@ +[metadata] +creation_date = "2021/10/07" +maturity = "production" +updated_date = "2021/10/07" + +[rule] +author = ["Elastic"] +description = """ +Identifies suspicious access to LSASS handle from a call trace pointing to DBGHelp.dll or DBGCore.dll, which both export +the MiniDumpWriteDump method that can be used to dump LSASS memory content in preperation for credential access. +""" +from = "now-9m" +index = ["winlogbeat-*", "logs-windows.*"] +language = "eql" +license = "Elastic License v2" +name = "Potential Credential Access via LSASS Memory Dump" +references = ["https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz"] +risk_score = 73 +rule_id = "9960432d-9b26-409f-972b-839a959e79e2" +severity = "high" +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where event.code == "10" and + winlog.event_data.TargetImage : "?:\\WINDOWS\\system32\\lsass.exe" and + + /* DLLs exporting MiniDumpWriteDump API to create an lsass mdmp*/ + winlog.event_data.CallTrace : ("*dbhelp*", "*dbgcore*") and + + /* case of lsass crashing */ + not process.executable : ("?:\\Windows\\System32\\WerFault.exe", "?:\\Windows\\System32\\WerFaultSecure.exe") +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1003" +name = "OS Credential Dumping" +reference = "https://attack.mitre.org/techniques/T1003/" + + [[rule.threat.technique.subtechnique]] + name = "LSASS Memory" + id = "T1003.001" + reference = "https://attack.mitre.org/techniques/T1003/001/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/"