-
Notifications
You must be signed in to change notification settings - Fork 491
/
credential_access_potential_lsa_memdump_via_mirrordump.toml
68 lines (57 loc) · 2.14 KB
/
credential_access_potential_lsa_memdump_via_mirrordump.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
[metadata]
creation_date = "2021/09/27"
integration = ["windows"]
maturity = "production"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
description = """
Identifies suspicious access to an LSASS handle via DuplicateHandle from an unknown call trace module. This may indicate
an attempt to bypass the NtOpenProcess API to evade detection and dump LSASS memory for credential access.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-windows.sysmon_operational-*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Credential Access via DuplicateHandle in LSASS"
references = ["https://github.com/CCob/MirrorDump"]
risk_score = 47
rule_id = "02a4576a-7480-4284-9327-548a806b5e48"
setup = """## Setup
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
`event.ingested` to @timestamp.
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
"""
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Windows",
"Use Case: Threat Detection",
"Tactic: Credential Access",
"Data Source: Sysmon",
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "windows" and event.code == "10" and
/* LSASS requesting DuplicateHandle access right to another process */
process.name : "lsass.exe" and winlog.event_data.GrantedAccess == "0x40" and
/* call is coming from an unknown executable region */
winlog.event_data.CallTrace : "*UNKNOWN*"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1003"
name = "OS Credential Dumping"
reference = "https://attack.mitre.org/techniques/T1003/"
[[rule.threat.technique.subtechnique]]
id = "T1003.001"
name = "LSASS Memory"
reference = "https://attack.mitre.org/techniques/T1003/001/"
[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"