forked from elastic/detection-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcredential_access_suspicious_lsass_access_via_snapshot.toml
76 lines (65 loc) · 2.2 KB
/
credential_access_suspicious_lsass_access_via_snapshot.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
[metadata]
creation_date = "2021/10/14"
integration = ["windows"]
maturity = "production"
updated_date = "2024/10/28"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
author = ["Elastic"]
description = """
Identifies suspicious access to an LSASS handle via PssCaptureSnapShot where two successive process accesses are
performed by the same process and target two different instances of LSASS. This may indicate an attempt to evade
detection and dump LSASS memory for credential access.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-windows.sysmon_operational-*"]
language = "kuery"
license = "Elastic License v2"
name = "Potential LSASS Memory Dump via PssCaptureSnapShot"
references = [
"https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/",
"https://twitter.com/sbousseaden/status/1280619931516747777?lang=en",
]
risk_score = 73
rule_id = "0f93cb9a-1931-48c2-8cd0-f173fd3e5283"
setup = """## Setup
This is meant to run only on datasources using Elastic Agent 7.14+ since versions prior to that will be missing the threshold
rule cardinality feature.
"""
severity = "high"
tags = [
"Domain: Endpoint",
"OS: Windows",
"Use Case: Threat Detection",
"Tactic: Credential Access",
"Data Source: Sysmon",
]
timestamp_override = "event.ingested"
type = "threshold"
query = '''
event.category:process and host.os.type:windows and event.code:10 and
winlog.event_data.TargetImage:("C:\\Windows\\system32\\lsass.exe" or
"c:\\Windows\\system32\\lsass.exe" or
"c:\\Windows\\System32\\lsass.exe")
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1003"
name = "OS Credential Dumping"
reference = "https://attack.mitre.org/techniques/T1003/"
[[rule.threat.technique.subtechnique]]
id = "T1003.001"
name = "LSASS Memory"
reference = "https://attack.mitre.org/techniques/T1003/001/"
[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"
[rule.threshold]
field = ["process.entity_id"]
value = 2
[[rule.threshold.cardinality]]
field = "winlog.event_data.TargetProcessId"
value = 2