From aa7d79cc5388d1fd51bf50912d979db9d513652c Mon Sep 17 00:00:00 2001
From: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Date: Thu, 24 Feb 2022 08:14:01 -0500
Subject: [PATCH] [New Rule] LSASS Memory Dump (#1784)

* Add new event_data fields (ObjectName, ProcessName)

* Add detection for LSASS Memory Dump Handle Access

* Reference an example of 120089 AccessMask presence

* modify query to increase performance and update the description to remove ("This rule").

* expand path to Elastic Agent ensure syntax consistency

* Optimize rule based on AccessMaskDescription and additional False Positives.

* add AccessMaskDescription keyword and rule tune to make sure AccessMask is used

* filter dllhost.exe and or the condition between AccessMask and AccessMaskDescription

* cleanup
---
 etc/non-ecs-schema.json                       |   7 +-
 ...al_access_lsass_memdump_handle_access.toml | 126 ++++++++++++++++++
 2 files changed, 131 insertions(+), 2 deletions(-)
 create mode 100644 rules/windows/credential_access_lsass_memdump_handle_access.toml

diff --git a/etc/non-ecs-schema.json b/etc/non-ecs-schema.json
index 9ab26c0b6..d575d72b6 100644
--- a/etc/non-ecs-schema.json
+++ b/etc/non-ecs-schema.json
@@ -12,19 +12,22 @@
       "event_data": {
         "AccessList": "keyword",
         "AccessMask": "keyword",
+        "AccessMaskDescription": "keyword",
         "AllowedToDelegateTo": "keyword",
         "AttributeLDAPDisplayName": "keyword",
         "AttributeValue": "keyword",
-        "CallerProcessName": "keyword", 
+        "CallerProcessName": "keyword",
         "CallTrace": "keyword",
         "ClientProcessId": "keyword",
         "GrantedAccess": "keyword",
         "NewTargetUserName": "keyword",
         "ObjectDN": "keyword",
+        "ObjectName": "keyword",
         "OldTargetUserName": "keyword",
         "OriginalFileName": "keyword",
-        "Properties": "keyword",
         "ParentProcessId": "keyword",
+        "ProcessName": "keyword",
+        "Properties": "keyword",
         "RelativeTargetName": "keyword",
         "ShareName": "keyword",
         "SubjectLogonId": "keyword",
diff --git a/rules/windows/credential_access_lsass_memdump_handle_access.toml b/rules/windows/credential_access_lsass_memdump_handle_access.toml
new file mode 100644
index 000000000..cc2da77a1
--- /dev/null
+++ b/rules/windows/credential_access_lsass_memdump_handle_access.toml
@@ -0,0 +1,126 @@
+[metadata]
+creation_date = "2022/02/16"
+maturity = "production"
+updated_date = "2022/02/16"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies handle requests for the Local Security Authority Subsystem Service (LSASS) object access with
+specific access masks that many tools with a capability to dump memory to disk use (0x1fffff, 0x1010, 0x120089).
+This rule is tool agnostic as it has been validated against a host of various LSASS dump tools such as SharpDump,
+Procdump, Mimikatz, Comsvcs etc. It detects this behavior at a low level and does not depend on a specific tool or dump
+file name.
+"""
+from = "now-9m"
+index = ["winlogbeat-*", "logs-system.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "LSASS Memory Dump Handle Access"
+note = """## Triage and analysis.
+
+### Investigating
+
+Local Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible
+for enforcing the security policy on the system. It verifies users logging on to a Windows computer or server, handles
+password changes, and creates access tokens.
+
+Adversaries may attempt to access credential material stored in the process memory of the LSASS. After a user logs on,
+the system generates and stores a variety of credential materials in LSASS process memory. This is meant to facilitate
+single sign-on (SSO) ensuring a user isn’t prompted each time resource access is requested. These credential materials
+can be harvested by an adversary using administrative user or SYSTEM privileges to conduct Lateral Movement using
+[Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550/).
+
+#### Possible investigation steps:
+
+- Validate the correct install path for the process that triggered this detection
+- Confirm that any AV or EDR solutions that trigger this detection have the correct install path
+
+### False Positive Analysis
+
+- There should be very few if any false positives for this rule. However, it may be tripped by AV or EDR solutions.
+
+### Response and Remediation
+
+- Initiate the incident response process based on the outcome of the triage
+- In case of specific credentials were compromised:
+    - Reset the password for the accounts
+
+## Config
+
+Ensure advanced audit policies for Windows are enabled, specifically
+Object Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)
+
+```
+Computer Configuration >
+Policies >
+Windows Settings >
+Security Settings >
+Advanced Audit Policies Configuration >
+System Audit Policies >
+Object Access >
+Audit File System (Success,Failure)
+Audit Handle Manipulation (Success,Failure)
+```
+
+Also, this event generates only if the object’s [SACL](https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists) has the required ACE to handle the use of specific access rights.
+"""
+references = [
+    "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656",
+    "https://twitter.com/jsecurity101/status/1227987828534956033?s=20",
+    "https://attack.mitre.org/techniques/T1003/001/",
+    "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-170105221010.html",
+    "http://findingbad.blogspot.com/2017/"
+]
+risk_score = 73
+rule_id = "208dbe77-01ed-4954-8d44-1e5751cb20de"
+severity = "high"
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+any where event.action == "File System" and event.code == "4656" and
+
+    winlog.event_data.ObjectName : (
+        "?:\\Windows\\System32\\lsass.exe",
+        "\\Device\\HarddiskVolume?\\Windows\\System32\\lsass.exe",
+        "\\Device\\HarddiskVolume??\\Windows\\System32\\lsass.exe") and
+
+    /* The right to perform an operation controlled by an extended access right. */
+
+    (winlog.event_data.AccessMask : ("0x1fffff" , "0x1010", "0x120089", "0x1F3FFF") or
+     winlog.event_data.AccessMaskDescription : ("READ_CONTROL", "Read from process memory"))
+
+     /* Common Noisy False Positives */
+
+    and not winlog.event_data.ProcessName : (
+        "?:\\Program Files\\*.exe",
+        "?:\\Program Files (x86)\\*.exe",
+        "?:\\Windows\\system32\\wbem\\WmiPrvSE.exe",
+        "?:\\Windows\\System32\\dllhost.exe",
+        "?:\\Windows\\System32\\svchost.exe",
+        "?:\\Windows\\System32\\msiexec.exe",
+        "?:\\ProgramData\\Microsoft\\Windows Defender\\*.exe",
+        "?:\\Windows\\explorer.exe")
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1003"
+name = "OS Credential Dumping"
+reference = "https://attack.mitre.org/techniques/T1003/"
+
+    [[rule.threat.technique.subtechnique]]
+    id = "T1003.001"
+    name = "LSASS Memory"
+    reference = "https://attack.mitre.org/techniques/T1003/001/"
+
+[rule.threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"
+