[New Rule] LSASS Memory Dump (#1784)
* Add new event_data fields (ObjectName, ProcessName)
* Add detection for LSASS Memory Dump Handle Access
* Reference an example of 120089 AccessMask presence
* modify query to increase performance and update the description to remove ("This rule").
* expand path to Elastic Agent ensure syntax consistency
* Optimize rule based on AccessMaskDescription and additional False Positives.
* add AccessMaskDescription keyword and rule tune to make sure AccessMask is used
* filter dllhost.exe and or the condition between AccessMask and AccessMaskDescription
* cleanup
This commit is contained in:
Mika Ayenson
@@ -12,19 +12,22 @@
|
||||
"event_data": {
|
||||
"AccessList": "keyword",
|
||||
"AccessMask": "keyword",
|
||||
"AccessMaskDescription": "keyword",
|
||||
"AllowedToDelegateTo": "keyword",
|
||||
"AttributeLDAPDisplayName": "keyword",
|
||||
"AttributeValue": "keyword",
|
||||
"CallerProcessName": "keyword",
|
||||
"CallerProcessName": "keyword",
|
||||
"CallTrace": "keyword",
|
||||
"ClientProcessId": "keyword",
|
||||
"GrantedAccess": "keyword",
|
||||
"NewTargetUserName": "keyword",
|
||||
"ObjectDN": "keyword",
|
||||
"ObjectName": "keyword",
|
||||
"OldTargetUserName": "keyword",
|
||||
"OriginalFileName": "keyword",
|
||||
"Properties": "keyword",
|
||||
"ParentProcessId": "keyword",
|
||||
"ProcessName": "keyword",
|
||||
"Properties": "keyword",
|
||||
"RelativeTargetName": "keyword",
|
||||
"ShareName": "keyword",
|
||||
"SubjectLogonId": "keyword",
|
||||
|
||||
@@ -0,0 +1,126 @@
|
||||
[metadata]
|
||||
creation_date = "2022/02/16"
|
||||
maturity = "production"
|
||||
updated_date = "2022/02/16"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
Identifies handle requests for the Local Security Authority Subsystem Service (LSASS) object access with
|
||||
specific access masks that many tools with a capability to dump memory to disk use (0x1fffff, 0x1010, 0x120089).
|
||||
This rule is tool agnostic as it has been validated against a host of various LSASS dump tools such as SharpDump,
|
||||
Procdump, Mimikatz, Comsvcs etc. It detects this behavior at a low level and does not depend on a specific tool or dump
|
||||
file name.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["winlogbeat-*", "logs-system.*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "LSASS Memory Dump Handle Access"
|
||||
note = """## Triage and analysis.
|
||||
|
||||
### Investigating
|
||||
|
||||
Local Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible
|
||||
for enforcing the security policy on the system. It verifies users logging on to a Windows computer or server, handles
|
||||
password changes, and creates access tokens.
|
||||
|
||||
Adversaries may attempt to access credential material stored in the process memory of the LSASS. After a user logs on,
|
||||
the system generates and stores a variety of credential materials in LSASS process memory. This is meant to facilitate
|
||||
single sign-on (SSO) ensuring a user isn’t prompted each time resource access is requested. These credential materials
|
||||
can be harvested by an adversary using administrative user or SYSTEM privileges to conduct Lateral Movement using
|
||||
[Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550/).
|
||||
|
||||
#### Possible investigation steps:
|
||||
|
||||
- Validate the correct install path for the process that triggered this detection
|
||||
- Confirm that any AV or EDR solutions that trigger this detection have the correct install path
|
||||
|
||||
### False Positive Analysis
|
||||
|
||||
- There should be very few if any false positives for this rule. However, it may be tripped by AV or EDR solutions.
|
||||
|
||||
### Response and Remediation
|
||||
|
||||
- Initiate the incident response process based on the outcome of the triage
|
||||
- In case of specific credentials were compromised:
|
||||
- Reset the password for the accounts
|
||||
|
||||
## Config
|
||||
|
||||
Ensure advanced audit policies for Windows are enabled, specifically
|
||||
Object Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)
|
||||
|
||||
```
|
||||
Computer Configuration >
|
||||
Policies >
|
||||
Windows Settings >
|
||||
Security Settings >
|
||||
Advanced Audit Policies Configuration >
|
||||
System Audit Policies >
|
||||
Object Access >
|
||||
Audit File System (Success,Failure)
|
||||
Audit Handle Manipulation (Success,Failure)
|
||||
```
|
||||
|
||||
Also, this event generates only if the object’s [SACL](https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists) has the required ACE to handle the use of specific access rights.
|
||||
"""
|
||||
references = [
|
||||
"https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656",
|
||||
"https://twitter.com/jsecurity101/status/1227987828534956033?s=20",
|
||||
"https://attack.mitre.org/techniques/T1003/001/",
|
||||
"https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-170105221010.html",
|
||||
"http://findingbad.blogspot.com/2017/"
|
||||
]
|
||||
risk_score = 73
|
||||
rule_id = "208dbe77-01ed-4954-8d44-1e5751cb20de"
|
||||
severity = "high"
|
||||
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
query = '''
|
||||
any where event.action == "File System" and event.code == "4656" and
|
||||
|
||||
winlog.event_data.ObjectName : (
|
||||
"?:\\Windows\\System32\\lsass.exe",
|
||||
"\\Device\\HarddiskVolume?\\Windows\\System32\\lsass.exe",
|
||||
"\\Device\\HarddiskVolume??\\Windows\\System32\\lsass.exe") and
|
||||
|
||||
/* The right to perform an operation controlled by an extended access right. */
|
||||
|
||||
(winlog.event_data.AccessMask : ("0x1fffff" , "0x1010", "0x120089", "0x1F3FFF") or
|
||||
winlog.event_data.AccessMaskDescription : ("READ_CONTROL", "Read from process memory"))
|
||||
|
||||
/* Common Noisy False Positives */
|
||||
|
||||
and not winlog.event_data.ProcessName : (
|
||||
"?:\\Program Files\\*.exe",
|
||||
"?:\\Program Files (x86)\\*.exe",
|
||||
"?:\\Windows\\system32\\wbem\\WmiPrvSE.exe",
|
||||
"?:\\Windows\\System32\\dllhost.exe",
|
||||
"?:\\Windows\\System32\\svchost.exe",
|
||||
"?:\\Windows\\System32\\msiexec.exe",
|
||||
"?:\\ProgramData\\Microsoft\\Windows Defender\\*.exe",
|
||||
"?:\\Windows\\explorer.exe")
|
||||
'''
|
||||
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
|
||||
[[rule.threat.technique]]
|
||||
id = "T1003"
|
||||
name = "OS Credential Dumping"
|
||||
reference = "https://attack.mitre.org/techniques/T1003/"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1003.001"
|
||||
name = "LSASS Memory"
|
||||
reference = "https://attack.mitre.org/techniques/T1003/001/"
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0006"
|
||||
name = "Credential Access"
|
||||
reference = "https://attack.mitre.org/tactics/TA0006/"
|
||||
|
||||
Reference in New Issue
Block a user