diff --git a/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml b/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml new file mode 100644 index 000000000..857459cc3 --- /dev/null +++ b/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml @@ -0,0 +1,58 @@ +[metadata] +creation_date = "2021/11/27" +updated_date = "2021/11/27" +maturity = "production" + + +[rule] +author = ["Elastic"] +description = """ +Identifies the creation of an LSASS process clone via PssCaptureSnapShot where the parent process is the initial LSASS +process instance. This may indicate an attempt to evade detection and dump LSASS memory for credential access. +""" +from = "now-9m" +index = ["winlogbeat-*", "logs-windows.*"] +language = "eql" +license = "Elastic License v2" +name = "Potential LSASS Clone Creation via PssCaptureSnapShot" +note = """## Config + +This is meant to run only on datasources using Windows security event 4688 that captures the process clone creation.""" +references = [ +"https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", +"https://medium.com/@Achilles8284/the-birth-of-a-process-part-2-97c6fb9c42a2" +] +risk_score = 73 +rule_id = "a16612dd-b30e-4d41-86a0-ebe70974ec00" +severity = "high" +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where event.code:"4688" and + process.executable : "?:\\Windows\\System32\\lsass.exe" and + process.parent.executable : "?:\\Windows\\System32\\lsass.exe" +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +name = "OS Credential Dumping" +id = "T1003" +reference = "https://attack.mitre.org/techniques/T1003/" +[[rule.threat.technique.subtechnique]] +name = "LSASS Memory" +id = "T1003.001" +reference = "https://attack.mitre.org/techniques/T1003/001/" + + + +[rule.threat.tactic] +name = "Credential Access" +id = "TA0006" +reference = "https://attack.mitre.org/tactics/TA0006/" + + +