forked from elastic/detection-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcredential_access_via_snapshot_lsass_clone_creation.toml
72 lines (62 loc) · 2.39 KB
/
credential_access_via_snapshot_lsass_clone_creation.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
[metadata]
creation_date = "2021/11/27"
integration = ["windows", "system"]
maturity = "production"
updated_date = "2024/10/17"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
author = ["Elastic"]
description = """
Identifies the creation of an LSASS process clone via PssCaptureSnapShot where the parent process is the initial LSASS
process instance. This may indicate an attempt to evade detection and dump LSASS memory for credential access.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
language = "eql"
license = "Elastic License v2"
name = "Potential LSASS Clone Creation via PssCaptureSnapShot"
references = [
"https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/",
"https://medium.com/@Achilles8284/the-birth-of-a-process-part-2-97c6fb9c42a2",
]
risk_score = 73
rule_id = "a16612dd-b30e-4d41-86a0-ebe70974ec00"
setup = """## Setup
This is meant to run only on datasources using Windows security event 4688 that captures the process clone creation.
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
`event.ingested` to @timestamp.
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
"""
severity = "high"
tags = [
"Domain: Endpoint",
"OS: Windows",
"Use Case: Threat Detection",
"Tactic: Credential Access",
"Data Source: Sysmon",
"Data Source: System",
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "windows" and event.code:"4688" and
process.executable : "?:\\Windows\\System32\\lsass.exe" and
process.parent.executable : "?:\\Windows\\System32\\lsass.exe"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1003"
name = "OS Credential Dumping"
reference = "https://attack.mitre.org/techniques/T1003/"
[[rule.threat.technique.subtechnique]]
id = "T1003.001"
name = "LSASS Memory"
reference = "https://attack.mitre.org/techniques/T1003/001/"
[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"