From 900a8cdbe9ae0707c07720d28b4e0230bb6acc7c Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Wed, 20 Jul 2022 16:30:19 +0200 Subject: [PATCH] [New Rule] Suspicious LSASS Access via MalSecLogon (#2063) * [New Rule] Identifies suspicious access to LSASS handle from a call trace pointing to seclogon.dll and with a suspicious access rights value, this may indicate an attempt to leak an Lsass handle via abusing the Secondary Logon service in preparation for credential access. https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html Data: ``` { "_index": ".ds-logs-windows.sysmon_operational-default-2022.06.16-000005", "_id": "QxU4rIEBTJjT82fLq8Cf", "_score": 1, "_source": { "agent": { "name": "02694w-win10", "id": "85e87161-ea22-4847-a978-fb4ed45ebf0e", "type": "filebeat", "ephemeral_id": "137d194a-e542-4cd6-a1e3-f4ca9f5ad6b8", "version": "8.0.0" }, "process": { "name": "svchost.exe", "pid": 456, "thread": { "id": 15264 }, "entity_id": "{6a3c3ef2-3646-62ab-1300-00000000d300}", "executable": "C:\\WINDOWS\\system32\\svchost.exe" }, "winlog": { "computer_name": "02694w-win10.threebeesco.com", "process": { "pid": 2680, "thread": { "id": 3988 } }, "channel": "Microsoft-Windows-Sysmon/Operational", "event_data": { "GrantedAccess": "0x14c0", "TargetProcessId": "680", "SourceUser": "NT AUTHORITY\\SYSTEM", "TargetImage": "C:\\WINDOWS\\system32\\lsass.exe", "CallTrace": "C:\\WINDOWS\\SYSTEM32\\ntdll.dll+9c534|C:\\WINDOWS\\System32\\KERNELBASE.dll+2726e|c:\\windows\\system32\\seclogon.dll+128f|c:\\windows\\system32\\seclogon.dll+10a0|C:\\WINDOWS\\System32\\RPCRT4.dll+76953|C:\\WINDOWS\\System32\\RPCRT4.dll+da036|C:\\WINDOWS\\System32\\RPCRT4.dll+37a4c|C:\\WINDOWS\\System32\\RPCRT4.dll+548c8|C:\\WINDOWS\\System32\\RPCRT4.dll+2c921|C:\\WINDOWS\\System32\\RPCRT4.dll+2c1db|C:\\WINDOWS\\System32\\RPCRT4.dll+1a86f|C:\\WINDOWS\\System32\\RPCRT4.dll+19d1a|C:\\WINDOWS\\System32\\RPCRT4.dll+19301|C:\\WINDOWS\\System32\\RPCRT4.dll+18d6e|C:\\WINDOWS\\System32\\RPCRT4.dll+169a5|C:\\WINDOWS\\SYSTEM32\\ntdll.dll+333ed|C:\\WINDOWS\\SYSTEM32\\ntdll.dll+34142|C:\\WINDOWS\\System32\\KERNEL32.DLL+17bd4|C:\\WINDOWS\\SYSTEM32\\ntdll.dll+6ce51", "TargetProcessGUID": "{6a3c3ef2-3646-62ab-0c00-00000000d300}", "TargetUser": "NT AUTHORITY\\SYSTEM" }, "opcode": "Info", "version": 3, "record_id": "1825496", "task": "Process accessed (rule: ProcessAccess)", "event_id": "10", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", "api": "wineventlog", "provider_name": "Microsoft-Windows-Sysmon", "user": { "identifier": "S-1-5-18", "domain": "NT AUTHORITY", "name": "SYSTEM", "type": "User" } }, "log": { "level": "information" }, "elastic_agent": { "id": "85e87161-ea22-4847-a978-fb4ed45ebf0e", "version": "8.0.0", "snapshot": false }, "message": "Process accessed:\nRuleName: -\nUtcTime: 2022-06-28 21:29:49.829\nSourceProcessGUID: {6a3c3ef2-3646-62ab-1300-00000000d300}\nSourceProcessId: 456\nSourceThreadId: 15264\nSourceImage: C:\\WINDOWS\\system32\\svchost.exe\nTargetProcessGUID: {6a3c3ef2-3646-62ab-0c00-00000000d300}\nTargetProcessId: 680\nTargetImage: C:\\WINDOWS\\system32\\lsass.exe\nGrantedAccess: 0x14C0\nCallTrace: C:\\WINDOWS\\SYSTEM32\\ntdll.dll+9c534|C:\\WINDOWS\\System32\\KERNELBASE.dll+2726e|c:\\windows\\system32\\seclogon.dll+128f|c:\\windows\\system32\\seclogon.dll+10a0|C:\\WINDOWS\\System32\\RPCRT4.dll+76953|C:\\WINDOWS\\System32\\RPCRT4.dll+da036|C:\\WINDOWS\\System32\\RPCRT4.dll+37a4c|C:\\WINDOWS\\System32\\RPCRT4.dll+548c8|C:\\WINDOWS\\System32\\RPCRT4.dll+2c921|C:\\WINDOWS\\System32\\RPCRT4.dll+2c1db|C:\\WINDOWS\\System32\\RPCRT4.dll+1a86f|C:\\WINDOWS\\System32\\RPCRT4.dll+19d1a|C:\\WINDOWS\\System32\\RPCRT4.dll+19301|C:\\WINDOWS\\System32\\RPCRT4.dll+18d6e|C:\\WINDOWS\\System32\\RPCRT4.dll+169a5|C:\\WINDOWS\\SYSTEM32\\ntdll.dll+333ed|C:\\WINDOWS\\SYSTEM32\\ntdll.dll+34142|C:\\WINDOWS\\System32\\KERNEL32.DLL+17bd4|C:\\WINDOWS\\SYSTEM32\\ntdll.dll+6ce51\nSourceUser: NT AUTHORITY\\SYSTEM\nTargetUser: NT AUTHORITY\\SYSTEM", "input": { "type": "winlog" }, "@timestamp": "2022-06-28T21:29:49.829Z", "ecs": { "version": "1.12.0" }, "data_stream": { "namespace": "default", "type": "logs", "dataset": "windows.sysmon_operational" }, "host": { "hostname": "02694w-win10", "os": { "build": "18363.815", "kernel": "10.0.18362.815 (WinBuild.160101.0800)", "name": "Windows 10 Enterprise", "type": "windows", "family": "windows", "version": "10.0", "platform": "windows" }, "ip": [ "fe80::7587:a5c1:5a7b:68f6", "172.16.66.25" ], "name": "02694w-win10.threebeesco.com", "id": "6a3c3ef2-208f-4d6f-90ee-b34f4e3fd160", "mac": [ "00:50:56:03:c6:93" ], "architecture": "x86_64" }, "event": { "agent_id_status": "verified", "ingested": "2022-06-28T21:30:04Z", "code": "10", "provider": "Microsoft-Windows-Sysmon", "created": "2022-06-28T21:29:51.107Z", "kind": "event", "action": "Process accessed (rule: ProcessAccess)", "category": [ "process" ], "type": [ "access" ], "dataset": "windows.sysmon_operational" }, "user": { "id": "S-1-5-18" } }, "fields": { "elastic_agent.version": [ "8.0.0" ], "event.category": [ "process" ], "host.os.name.text": [ "Windows 10 Enterprise" ], "winlog.provider_guid": [ "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}" ], "winlog.provider_name": [ "Microsoft-Windows-Sysmon" ], "host.hostname": [ "02694w-win10" ], "winlog.computer_name": [ "02694w-win10.threebeesco.com" ], "process.pid": [ 456 ], "host.mac": [ "00:50:56:03:c6:93" ], "winlog.process.pid": [ 2680 ], "host.os.version": [ "10.0" ], "winlog.record_id": [ "1825496" ], "winlog.event_data.TargetUser": [ "NT AUTHORITY\\SYSTEM" ], "host.os.name": [ "Windows 10 Enterprise" ], "log.level": [ "information" ], "agent.name": [ "02694w-win10" ], "host.name": [ "02694w-win10.threebeesco.com" ], "event.agent_id_status": [ "verified" ], "event.kind": [ "event" ], "winlog.version": [ 3 ], "host.os.type": [ "windows" ], "user.id": [ "S-1-5-18" ], "input.type": [ "winlog" ], "data_stream.type": [ "logs" ], "host.architecture": [ "x86_64" ], "process.name": [ "svchost.exe" ], "event.provider": [ "Microsoft-Windows-Sysmon" ], "event.code": [ "10" ], "agent.id": [ "85e87161-ea22-4847-a978-fb4ed45ebf0e" ], "ecs.version": [ "1.12.0" ], "event.created": [ "2022-06-28T21:29:51.107Z" ], "winlog.event_data.CallTrace": [ "C:\\WINDOWS\\SYSTEM32\\ntdll.dll+9c534|C:\\WINDOWS\\System32\\KERNELBASE.dll+2726e|c:\\windows\\system32\\seclogon.dll+128f|c:\\windows\\system32\\seclogon.dll+10a0|C:\\WINDOWS\\System32\\RPCRT4.dll+76953|C:\\WINDOWS\\System32\\RPCRT4.dll+da036|C:\\WINDOWS\\System32\\RPCRT4.dll+37a4c|C:\\WINDOWS\\System32\\RPCRT4.dll+548c8|C:\\WINDOWS\\System32\\RPCRT4.dll+2c921|C:\\WINDOWS\\System32\\RPCRT4.dll+2c1db|C:\\WINDOWS\\System32\\RPCRT4.dll+1a86f|C:\\WINDOWS\\System32\\RPCRT4.dll+19d1a|C:\\WINDOWS\\System32\\RPCRT4.dll+19301|C:\\WINDOWS\\System32\\RPCRT4.dll+18d6e|C:\\WINDOWS\\System32\\RPCRT4.dll+169a5|C:\\WINDOWS\\SYSTEM32\\ntdll.dll+333ed|C:\\WINDOWS\\SYSTEM32\\ntdll.dll+34142|C:\\WINDOWS\\System32\\KERNEL32.DLL+17bd4|C:\\WINDOWS\\SYSTEM32\\ntdll.dll+6ce51" ], "agent.version": [ "8.0.0" ], "host.os.family": [ "windows" ], "process.thread.id": [ 15264 ], "winlog.event_data.TargetProcessGUID": [ "{6a3c3ef2-3646-62ab-0c00-00000000d300}" ], "winlog.process.thread.id": [ 3988 ], "winlog.event_data.TargetImage": [ "C:\\WINDOWS\\system32\\lsass.exe" ], "winlog.event_data.TargetProcessId": [ "680" ], "process.entity_id": [ "{6a3c3ef2-3646-62ab-1300-00000000d300}" ], "host.os.build": [ "18363.815" ], "winlog.user.type": [ "User" ], "host.ip": [ "fe80::7587:a5c1:5a7b:68f6", "172.16.66.25" ], "agent.type": [ "filebeat" ], "event.module": [ "windows" ], "host.os.kernel": [ "10.0.18362.815 (WinBuild.160101.0800)" ], "winlog.api": [ "wineventlog" ], "elastic_agent.snapshot": [ false ], "host.id": [ "6a3c3ef2-208f-4d6f-90ee-b34f4e3fd160" ], "process.executable": [ "C:\\WINDOWS\\system32\\svchost.exe" ], "winlog.user.identifier": [ "S-1-5-18" ], "winlog.event_data.SourceUser": [ "NT AUTHORITY\\SYSTEM" ], "winlog.task": [ "Process accessed (rule: ProcessAccess)" ], "winlog.user.domain": [ "NT AUTHORITY" ], "elastic_agent.id": [ "85e87161-ea22-4847-a978-fb4ed45ebf0e" ], "data_stream.namespace": [ "default" ], "winlog.event_data.GrantedAccess": [ "0x14c0" ], "message": [ "Process accessed:\nRuleName: -\nUtcTime: 2022-06-28 21:29:49.829\nSourceProcessGUID: {6a3c3ef2-3646-62ab-1300-00000000d300}\nSourceProcessId: 456\nSourceThreadId: 15264\nSourceImage: C:\\WINDOWS\\system32\\svchost.exe\nTargetProcessGUID: {6a3c3ef2-3646-62ab-0c00-00000000d300}\nTargetProcessId: 680\nTargetImage: C:\\WINDOWS\\system32\\lsass.exe\nGrantedAccess: 0x14C0\nCallTrace: C:\\WINDOWS\\SYSTEM32\\ntdll.dll+9c534|C:\\WINDOWS\\System32\\KERNELBASE.dll+2726e|c:\\windows\\system32\\seclogon.dll+128f|c:\\windows\\system32\\seclogon.dll+10a0|C:\\WINDOWS\\System32\\RPCRT4.dll+76953|C:\\WINDOWS\\System32\\RPCRT4.dll+da036|C:\\WINDOWS\\System32\\RPCRT4.dll+37a4c|C:\\WINDOWS\\System32\\RPCRT4.dll+548c8|C:\\WINDOWS\\System32\\RPCRT4.dll+2c921|C:\\WINDOWS\\System32\\RPCRT4.dll+2c1db|C:\\WINDOWS\\System32\\RPCRT4.dll+1a86f|C:\\WINDOWS\\System32\\RPCRT4.dll+19d1a|C:\\WINDOWS\\System32\\RPCRT4.dll+19301|C:\\WINDOWS\\System32\\RPCRT4.dll+18d6e|C:\\WINDOWS\\System32\\RPCRT4.dll+169a5|C:\\WINDOWS\\SYSTEM32\\ntdll.dll+333ed|C:\\WINDOWS\\SYSTEM32\\ntdll.dll+34142|C:\\WINDOWS\\System32\\KERNEL32.DLL+17bd4|C:\\WINDOWS\\SYSTEM32\\ntdll.dll+6ce51\nSourceUser: NT AUTHORITY\\SYSTEM\nTargetUser: NT AUTHORITY\\SYSTEM" ], "winlog.user.name": [ "SYSTEM" ], "winlog.event_id": [ "10" ], "event.ingested": [ "2022-06-28T21:30:04.000Z" ], "event.action": [ "Process accessed (rule: ProcessAccess)" ], "@timestamp": [ "2022-06-28T21:29:49.829Z" ], "winlog.channel": [ "Microsoft-Windows-Sysmon/Operational" ], "host.os.platform": [ "windows" ], "data_stream.dataset": [ "windows.sysmon_operational" ], "event.type": [ "access" ], "winlog.opcode": [ "Info" ], "agent.ephemeral_id": [ "137d194a-e542-4cd6-a1e3-f4ca9f5ad6b8" ], "event.dataset": [ "windows.sysmon_operational" ] } } ``` * Update rules/windows/credential_access_lsass_handle_via_malseclogon.toml * Update rules/windows/credential_access_lsass_handle_via_malseclogon.toml Co-authored-by: Jonhnathan Co-authored-by: Jonhnathan Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> (cherry picked from commit 59736e397323d0b4e943b9c9dc7a8aa3821a03f0) --- ...l_access_lsass_handle_via_malseclogon.toml | 59 +++++++++++++++++++ 1 file changed, 59 insertions(+) create mode 100644 rules/windows/credential_access_lsass_handle_via_malseclogon.toml diff --git a/rules/windows/credential_access_lsass_handle_via_malseclogon.toml b/rules/windows/credential_access_lsass_handle_via_malseclogon.toml new file mode 100644 index 000000000..15f675f06 --- /dev/null +++ b/rules/windows/credential_access_lsass_handle_via_malseclogon.toml @@ -0,0 +1,59 @@ +[metadata] +creation_date = "2022/06/29" +maturity = "production" +updated_date = "2022/06/29" + +[rule] +author = ["Elastic"] +description = """ +Identifies suspicious access to LSASS handle from a call trace pointing to seclogon.dll and with a suspicious access +rights value. This may indicate an attempt to leak an LSASS handle via abusing the Secondary Logon service in preparation +for credential access. +""" +from = "now-9m" +index = ["winlogbeat-*", "logs-windows.*"] +language = "eql" +license = "Elastic License v2" +name = "Suspicious LSASS Access via MalSecLogon" +note = """## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. +""" +references = ["https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html"] +risk_score = 73 +rule_id = "7ba58110-ae13-439b-8192-357b0fcfa9d7" +severity = "high" +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where event.code == "10" and + winlog.event_data.TargetImage : "?:\\WINDOWS\\system32\\lsass.exe" and + + /* seclogon service accessing lsass */ + winlog.event_data.CallTrace : "*seclogon.dll*" and process.name : "svchost.exe" and + + /* PROCESS_CREATE_PROCESS & PROCESS_DUP_HANDLE & PROCESS_QUERY_INFORMATION */ + winlog.event_data.GrantedAccess == "0x14c0" +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1003" +name = "OS Credential Dumping" +reference = "https://attack.mitre.org/techniques/T1003/" +[[rule.threat.technique.subtechnique]] +id = "T1003.001" +name = "LSASS Memory" +reference = "https://attack.mitre.org/techniques/T1003/001/" + + + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" +