-
Notifications
You must be signed in to change notification settings - Fork 502
/
credential_access_lsass_loaded_susp_dll.toml
124 lines (115 loc) · 4.72 KB
/
credential_access_lsass_loaded_susp_dll.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
[metadata]
creation_date = "2022/12/28"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/10/10"
[rule]
author = ["Elastic"]
description = """
Identifies LSASS loading an unsigned or untrusted DLL. Windows Security Support Provider (SSP) DLLs are loaded into
LSSAS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that
are stored in Windows, such as any logged-on user's Domain password or smart card PINs.
"""
from = "now-9m"
index = ["logs-endpoint.events.library-*", "endgame-*"]
language = "eql"
license = "Elastic License v2"
name = "Suspicious Module Loaded by LSASS"
references = ["https://blog.xpnsec.com/exploring-mimikatz-part-2/", "https://github.com/jas502n/mimikat_ssp"]
risk_score = 47
rule_id = "3a6001a0-0939-4bbe-86f4-47d8faeb7b97"
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Windows",
"Use Case: Threat Detection",
"Tactic: Credential Access",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame",
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
any where event.category in ("library", "driver") and host.os.type == "windows" and
process.executable : "?:\\Windows\\System32\\lsass.exe" and
not (dll.code_signature.subject_name :
("Microsoft Windows",
"Microsoft Corporation",
"Microsoft Windows Publisher",
"Microsoft Windows Software Compatibility Publisher",
"Microsoft Windows Hardware Compatibility Publisher",
"McAfee, Inc.",
"SecMaker AB",
"HID Global Corporation",
"HID Global",
"Apple Inc.",
"Citrix Systems, Inc.",
"Dell Inc",
"Hewlett-Packard Company",
"Symantec Corporation",
"National Instruments Corporation",
"DigitalPersona, Inc.",
"Novell, Inc.",
"gemalto",
"EasyAntiCheat Oy",
"Entrust Datacard Corporation",
"AuriStor, Inc.",
"LogMeIn, Inc.",
"VMware, Inc.",
"Istituto Poligrafico e Zecca dello Stato S.p.A.",
"Nubeva Technologies Ltd",
"Micro Focus (US), Inc.",
"Yubico AB",
"GEMALTO SA",
"Secure Endpoints, Inc.",
"Sophos Ltd",
"Morphisec Information Security 2014 Ltd",
"Entrust, Inc.",
"Nubeva Technologies Ltd",
"Micro Focus (US), Inc.",
"F5 Networks Inc",
"Bit4id",
"Thales DIS CPL USA, Inc.",
"Micro Focus International plc",
"HYPR Corp",
"Intel(R) Software Development Products",
"PGP Corporation",
"Parallels International GmbH",
"FrontRange Solutions Deutschland GmbH",
"SecureLink, Inc.",
"Tidexa OU",
"Amazon Web Services, Inc.",
"SentryBay Limited",
"Audinate Pty Ltd",
"CyberArk Software Ltd.",
"McAfeeSysPrep",
"NVIDIA Corporation PE Sign v2016",
"Trend Micro, Inc.",
"Fortinet Technologies (Canada) Inc.",
"Carbon Black, Inc.") and
dll.code_signature.status : ("trusted", "errorExpired", "errorCode_endpoint*", "errorChaining")) and
not dll.hash.sha256 :
("811a03a5d7c03802676d2613d741be690b3461022ea925eb6b2651a5be740a4c",
"1181542d9cfd63fb00c76242567446513e6773ea37db6211545629ba2ecf26a1",
"ed6e735aa6233ed262f50f67585949712f1622751035db256811b4088c214ce3",
"26be2e4383728eebe191c0ab19706188f0e9592add2e0bf86b37442083ae5e12",
"9367e78b84ef30cf38ab27776605f2645e52e3f6e93369c674972b668a444faa",
"d46cc934765c5ecd53867070f540e8d6f7701e834831c51c2b0552aba871921b",
"0f77a3826d7a5cd0533990be0269d951a88a5c277bc47cff94553330b715ec61",
"4aca034d3d85a9e9127b5d7a10882c2ef4c3e0daa3329ae2ac1d0797398695fb",
"86031e69914d9d33c34c2f4ac4ae523cef855254d411f88ac26684265c981d95")
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1003"
name = "OS Credential Dumping"
reference = "https://attack.mitre.org/techniques/T1003/"
[[rule.threat.technique.subtechnique]]
id = "T1003.001"
name = "LSASS Memory"
reference = "https://attack.mitre.org/techniques/T1003/001/"
[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"