LSASS Memory Dump Handle Accessedit
Identifies handle requests for the Local Security Authority Subsystem Service (LSASS) object access with specific access masks that many tools with a capability to dump memory to disk use (0x1fffff, 0x1010, 0x120089). This rule is tool agnostic as it has been validated against a host of various LSASS dump tools such as SharpDump, Procdump, Mimikatz, Comsvcs etc. It detects this behavior at a low level and does not depend on a specific tool or dump file name.
Rule type: eql
Rule indices:
- winlogbeat-*
- logs-system.*
Severity: high
Risk score: 73
Runs every: 5 minutes
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656
- https://twitter.com/jsecurity101/status/1227987828534956033?s=20
- https://attack.mitre.org/techniques/T1003/001/
- https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-170105221010.html
- http://findingbad.blogspot.com/2017/
Tags:
- Elastic
- Host
- Windows
- Threat Detection
- Credential Access
Version: 1
Added (Elastic Stack release): 8.2.0
Rule authors: Elastic
Rule license: Elastic License v2
Investigation guideedit
## Triage and analysis ### Investigating LSASS Memory Dump Handle Access Local Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens. Adversaries may attempt to access credential material stored in LSASS process memory. After a user logs on,the system generates and stores a variety of credential materials in LSASS process memory. This is meant to facilitate single sign-on (SSO) ensuring a user isn’t prompted each time resource access is requested. These credential materials can be harvested by an adversary using administrative user or SYSTEM privileges to conduct lateral movement using [alternate authentication material](https://attack.mitre.org/techniques/T1550/). #### Possible investigation steps - Investigate the process execution chain (parent process tree). - Investigate other alerts associated with the user/host during the past 48 hours. - Validate the correct install path for the process that triggered this detection. ### False positive analysis - There should be very few if any false positives for this rule. However, it may be tripped by antivirus or endpoint detection and response solutions; check whether these solutions are installed on the correct paths. ### Response and remediation - Initiate the incident response process based on the outcome of the triage. - Isolate the involved host to prevent further post-compromise behavior. - Scope compromised credentials and disable the accounts. - Reset passwords for the user account and other potentially compromised accounts (email, services, CRMs, etc.). ## Config Ensure advanced audit policies for Windows are enabled, specifically: Object Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested) ``` Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policies Configuration > System Audit Policies > Object Access > Audit File System (Success,Failure) Audit Handle Manipulation (Success,Failure) ``` Also, this event generates only if the object’s [SACL](https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists) has the required access control entry (ACE) to handle the use of specific access rights. If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
Rule queryedit
any where event.action == "File System" and event.code == "4656" and winlog.event_data.ObjectName : ( "?:\\Windows\\System32\\lsass.exe", "\\Device\\HarddiskVolume?\\Windows\\System32\\lsass.exe", "\\Device\\HarddiskVolume??\\Windows\\System32\\lsass.exe") and /* The right to perform an operation controlled by an extended access right. */ (winlog.event_data.AccessMask : ("0x1fffff" , "0x1010", "0x120089", "0x1F3FFF") or winlog.event_data.AccessMaskDescription : ("READ_CONTROL", "Read from process memory")) /* Common Noisy False Positives */ and not winlog.event_data.ProcessName : ( "?:\\Program Files\\*.exe", "?:\\Program Files (x86)\\*.exe", "?:\\Windows\\system32\\wbem\\WmiPrvSE.exe", "?:\\Windows\\System32\\dllhost.exe", "?:\\Windows\\System32\\svchost.exe", "?:\\Windows\\System32\\msiexec.exe", "?:\\ProgramData\\Microsoft\\Windows Defender\\*.exe", "?:\\Windows\\explorer.exe")
Threat mappingedit
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Credential Access
- ID: TA0006
- Reference URL: https://attack.mitre.org/tactics/TA0006/
-
Technique:
- Name: OS Credential Dumping
- ID: T1003
- Reference URL: https://attack.mitre.org/techniques/T1003/