From e18c26d9beeafe163f2e12fa8652f24e946d3fcc Mon Sep 17 00:00:00 2001
From: Samirbous <64742097+Samirbous@users.noreply.github.com>
Date: Wed, 8 Dec 2021 11:16:14 +0100
Subject: [PATCH] [New Rule] Potential LSASS Clone Creation via
 PssCaptureSnapShot (#1632)

* [New Rule] Potential LSASS Clone Creation via PssCaptureSnapShot

Detects the creation of LSASS clone via event 4688 (Sysmon process creation as well as Elastic endpoint don't capture clone creation due to the way 4688 logs process creation event even before an initial threat starts).

* adding extra ref url

(cherry picked from commit e3b76b7cf70ce2009a402e8b20c7a486a53df84a)
---
 ...ess_via_snapshot_lsass_clone_creation.toml | 58 +++++++++++++++++++
 1 file changed, 58 insertions(+)
 create mode 100644 rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml

diff --git a/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml b/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml
new file mode 100644
index 000000000..857459cc3
--- /dev/null
+++ b/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml
@@ -0,0 +1,58 @@
+[metadata]
+creation_date = "2021/11/27"
+updated_date = "2021/11/27"
+maturity = "production"
+
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies the creation of an LSASS process clone via PssCaptureSnapShot where the parent process is the initial LSASS
+process instance. This may indicate an attempt to evade detection and dump LSASS memory for credential access.
+"""
+from = "now-9m"
+index = ["winlogbeat-*", "logs-windows.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Potential LSASS Clone Creation via PssCaptureSnapShot"
+note = """## Config
+
+This is meant to run only on datasources using Windows security event 4688 that captures the process clone creation."""
+references = [
+"https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/",
+"https://medium.com/@Achilles8284/the-birth-of-a-process-part-2-97c6fb9c42a2"
+]
+risk_score = 73
+rule_id = "a16612dd-b30e-4d41-86a0-ebe70974ec00"
+severity = "high"
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+process where event.code:"4688" and
+  process.executable : "?:\\Windows\\System32\\lsass.exe" and
+  process.parent.executable : "?:\\Windows\\System32\\lsass.exe"
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+name = "OS Credential Dumping"
+id = "T1003"
+reference = "https://attack.mitre.org/techniques/T1003/"
+[[rule.threat.technique.subtechnique]]
+name = "LSASS Memory"
+id = "T1003.001"
+reference = "https://attack.mitre.org/techniques/T1003/001/"
+
+
+
+[rule.threat.tactic]
+name = "Credential Access"
+id = "TA0006"
+reference = "https://attack.mitre.org/tactics/TA0006/"
+
+
+