[metadata] creation_date = "2023/03/02" integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: Lsass access events added in Elastic Endpoint 8.7." min_stack_version = "8.7.0" updated_date = "2023/10/23" [rule] author = ["Elastic"] description = """ Identifies access attempts to the LSASS handle, which may indicate an attempt to dump credentials from LSASS memory. """ from = "now-9m" index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "LSASS Process Access via Windows API" references = ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"] risk_score = 47 rule_id = "ff4599cb-409f-4910-a239-52e4e6f532ff" severity = "medium" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Execution", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" query = ''' api where host.os.type == "windows" and process.Ext.api.name in ("OpenProcess", "OpenThread") and Target.process.name : "lsass.exe" and not ( process.executable : ( "?:\\ProgramData\\GetSupportService*\\Updates\\Update_*.exe", "?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe", "?:\\Program Files (x86)\\Asiainfo Security\\OfficeScan Client\\NTRTScan.exe", "?:\\Program Files (x86)\\Blackpoint\\SnapAgent\\SnapAgent.exe", "?:\\Program Files (x86)\\eScan\\reload.exe", "?:\\Program Files (x86)\\Google\\Update\\GoogleUpdate.exe", "?:\\Program Files (x86)\\Kaspersky Lab\\*\\avp.exe", "?:\\Program Files (x86)\\N-able Technologies\\Reactive\\bin\\NableReactiveManagement.exe", "?:\\Program Files (x86)\\N-able Technologies\\Windows Agent\\bin\\agent.exe", "?:\\Program Files (x86)\\Trend Micro\\*\\CCSF\\TmCCSF.exe", "?:\\Program Files*\\Windows Defender\\MsMpEng.exe", "?:\\Program Files\\Bitdefender\\Endpoint Security\\EPSecurityService.exe", "?:\\Program Files\\Cisco\\AMP\\*\\sfc.exe", "?:\\Program Files\\Common Files\\McAfee\\AVSolution\\mcshield.exe", "?:\\Program Files\\EA\\AC\\EAAntiCheat.GameService.exe", "?:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-*\\components\\metricbeat.exe", "?:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-*\\components\\osqueryd.exe", "?:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-*\\components\\packetbeat.exe", "?:\\Program Files\\ESET\\ESET Security\\ekrn.exe", "?:\\Program Files\\Fortinet\\FortiClient\\FortiProxy.exe", "?:\\Program Files\\Huntress\\HuntressAgent.exe", "?:\\Program Files\\LogicMonitor\\Agent\\bin\\sbshutdown.exe", "?:\\Program Files\\Microsoft Security Client\\MsMpEng.exe", "?:\\Program Files\\Qualys\\QualysAgent\\QualysAgent.exe", "?:\\Program Files\\TDAgent\\ossec-agent\\ossec-agent.exe", "?:\\Program Files\\Topaz OFD\\Warsaw\\core.exe", "?:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", "?:\\Windows\\AdminArsenal\\PDQDeployRunner\\*\\exec\\Sysmon64.exe", "?:\\Windows\\Sysmon.exe", "?:\\Windows\\Sysmon64.exe", "?:\\Windows\\System32\\csrss.exe", "?:\\Windows\\System32\\MRT.exe", "?:\\Windows\\System32\\msiexec.exe", "?:\\Windows\\System32\\RtkAudUService64.exe", "?:\\Windows\\System32\\wbem\\WmiPrvSE.exe", "?:\\Windows\\SysWOW64\\wbem\\WmiPrvSE.exe" ) and process.code_signature.trusted == true ) ''' [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" [[rule.threat.technique.subtechnique]] id = "T1003.001" name = "LSASS Memory" reference = "https://attack.mitre.org/techniques/T1003/001/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1106" name = "Native API" reference = "https://attack.mitre.org/techniques/T1106/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/"