security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2ad8b32ce2299d4f736c5bfa25de0148c07692d2
sigma-rules/rules/windows/credential_access_lsass_memdump_handle_access.toml
T
Mika Ayenson aab23636e8 [New Rule] LSASS Memory Dump (#1784) 
* Add new event_data fields (ObjectName, ProcessName)

* Add detection for LSASS Memory Dump Handle Access

* Reference an example of 120089 AccessMask presence

* modify query to increase performance and update the description to remove ("This rule").

* expand path to Elastic Agent ensure syntax consistency

* Optimize rule based on AccessMaskDescription and additional False Positives.

* add AccessMaskDescription keyword and rule tune to make sure AccessMask is used

* filter dllhost.exe and or the condition between AccessMask and AccessMaskDescription

* cleanup

(cherry picked from commit aa7d79cc53)
2022-02-24 13:16:42 +00:00

127 lines
4.9 KiB
TOML
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
[metadata]
creation_date = "2022/02/16"
maturity = "production"
updated_date = "2022/02/16"
[rule]
author = ["Elastic"]
description = """
Identifies handle requests for the Local Security Authority Subsystem Service (LSASS) object access with
specific access masks that many tools with a capability to dump memory to disk use (0x1fffff, 0x1010, 0x120089).
This rule is tool agnostic as it has been validated against a host of various LSASS dump tools such as SharpDump,
Procdump, Mimikatz, Comsvcs etc. It detects this behavior at a low level and does not depend on a specific tool or dump
file name.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-system.*"]
language = "eql"
license = "Elastic License v2"
name = "LSASS Memory Dump Handle Access"
note = """## Triage and analysis.
### Investigating
Local Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible
for enforcing the security policy on the system. It verifies users logging on to a Windows computer or server, handles
password changes, and creates access tokens.
Adversaries may attempt to access credential material stored in the process memory of the LSASS. After a user logs on,
the system generates and stores a variety of credential materials in LSASS process memory. This is meant to facilitate
single sign-on (SSO) ensuring a user isnt prompted each time resource access is requested. These credential materials
can be harvested by an adversary using administrative user or SYSTEM privileges to conduct Lateral Movement using
[Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550/).
#### Possible investigation steps:
- Validate the correct install path for the process that triggered this detection
- Confirm that any AV or EDR solutions that trigger this detection have the correct install path
### False Positive Analysis
- There should be very few if any false positives for this rule. However, it may be tripped by AV or EDR solutions.
### Response and Remediation
- Initiate the incident response process based on the outcome of the triage
- In case of specific credentials were compromised:
- Reset the password for the accounts
## Config
Ensure advanced audit policies for Windows are enabled, specifically
Object Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)
```
Computer Configuration >
Policies >
Windows Settings >
Security Settings >
Advanced Audit Policies Configuration >
System Audit Policies >
Object Access >
Audit File System (Success,Failure)
Audit Handle Manipulation (Success,Failure)
```
Also, this event generates only if the objects [SACL](https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists) has the required ACE to handle the use of specific access rights.
"""
references = [
"https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656",
"https://twitter.com/jsecurity101/status/1227987828534956033?s=20",
"https://attack.mitre.org/techniques/T1003/001/",
"https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-170105221010.html",
"http://findingbad.blogspot.com/2017/"
]
risk_score = 73
rule_id = "208dbe77-01ed-4954-8d44-1e5751cb20de"
severity = "high"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
any where event.action == "File System" and event.code == "4656" and
winlog.event_data.ObjectName : (
"?:\\Windows\\System32\\lsass.exe",
"\\Device\\HarddiskVolume?\\Windows\\System32\\lsass.exe",
"\\Device\\HarddiskVolume??\\Windows\\System32\\lsass.exe") and
/* The right to perform an operation controlled by an extended access right. */
(winlog.event_data.AccessMask : ("0x1fffff" , "0x1010", "0x120089", "0x1F3FFF") or
winlog.event_data.AccessMaskDescription : ("READ_CONTROL", "Read from process memory"))
/* Common Noisy False Positives */
and not winlog.event_data.ProcessName : (
"?:\\Program Files\\*.exe",
"?:\\Program Files (x86)\\*.exe",
"?:\\Windows\\system32\\wbem\\WmiPrvSE.exe",
"?:\\Windows\\System32\\dllhost.exe",
"?:\\Windows\\System32\\svchost.exe",
"?:\\Windows\\System32\\msiexec.exe",
"?:\\ProgramData\\Microsoft\\Windows Defender\\*.exe",
"?:\\Windows\\explorer.exe")
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1003"
name = "OS Credential Dumping"
reference = "https://attack.mitre.org/techniques/T1003/"
[[rule.threat.technique.subtechnique]]
id = "T1003.001"
name = "LSASS Memory"
reference = "https://attack.mitre.org/techniques/T1003/001/"
[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"
Reference in New Issue View Git Blame Copy Permalink