security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rule] Potential LSASS Clone Creation via PssCaptureSnapShot (#1632)

Browse Source 
* [New Rule] Potential LSASS Clone Creation via PssCaptureSnapShot

Detects the creation of LSASS clone via event 4688 (Sysmon process creation as well as Elastic endpoint don't capture clone creation due to the way 4688 logs process creation event even before an initial threat starts).

* adding extra ref url

(cherry picked from commit e3b76b7cf7)
This commit is contained in:
Samirbous
2021-12-08 11:16:14 +01:00
committed by github-actions[bot]
parent f393cc35a0
commit e18c26d9be
1 changed files with 58 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml
+58
View File
@@ -0,0 +1,58 @@
[metadata]
creation_date = "2021/11/27"
updated_date = "2021/11/27"
maturity = "production"
[rule]
author = ["Elastic"]
description = """
Identifies the creation of an LSASS process clone via PssCaptureSnapShot where the parent process is the initial LSASS
process instance. This may indicate an attempt to evade detection and dump LSASS memory for credential access.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-windows.*"]
language = "eql"
license = "Elastic License v2"
name = "Potential LSASS Clone Creation via PssCaptureSnapShot"
note = """## Config
This is meant to run only on datasources using Windows security event 4688 that captures the process clone creation."""
references = [
"https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/",
"https://medium.com/@Achilles8284/the-birth-of-a-process-part-2-97c6fb9c42a2"
]
risk_score = 73
rule_id = "a16612dd-b30e-4d41-86a0-ebe70974ec00"
severity = "high"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where event.code:"4688" and
process.executable : "?:\\Windows\\System32\\lsass.exe" and
process.parent.executable : "?:\\Windows\\System32\\lsass.exe"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
name = "OS Credential Dumping"
id = "T1003"
reference = "https://attack.mitre.org/techniques/T1003/"
[[rule.threat.technique.subtechnique]]
name = "LSASS Memory"
id = "T1003.001"
reference = "https://attack.mitre.org/techniques/T1003/001/"
[rule.threat.tactic]
name = "Credential Access"
id = "TA0006"
reference = "https://attack.mitre.org/tactics/TA0006/"