## Triage and analysis

### Investigating LSASS Memory Dump Handle Access

Local Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible
for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles
password changes, and creates access tokens.

Adversaries may attempt to access credential material stored in LSASS process memory. After a user logs on,the system
generates and stores a variety of credential materials in LSASS process memory. This is meant to facilitate single
sign-on (SSO) ensuring a user isn’t prompted each time resource access is requested. These credential materials can be
harvested by an adversary using administrative user or SYSTEM privileges to conduct lateral movement using
[alternate authentication material](https://attack.mitre.org/techniques/T1550/).

#### Possible investigation steps

- Investigate the process execution chain (parent process tree).
- Investigate other alerts associated with the user/host during the past 48 hours.
- Validate the correct install path for the process that triggered this detection.

### False positive analysis

- There should be very few if any false positives for this rule. However, it may be tripped by antivirus or endpoint detection and response solutions;
check whether these solutions are installed on the correct paths.

### Response and remediation

- Initiate the incident response process based on the outcome of the triage.
- Isolate the involved host to prevent further post-compromise behavior.
- Scope compromised credentials and disable the accounts.
- Reset passwords for the user account and other potentially compromised accounts (email, services, CRMs, etc.).

## Config

Ensure advanced audit policies for Windows are enabled, specifically:
Object Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)

```
Computer Configuration >
Policies >
Windows Settings >
Security Settings >
Advanced Audit Policies Configuration >
System Audit Policies >
Object Access >
Audit File System (Success,Failure)
Audit Handle Manipulation (Success,Failure)
```

Also, this event generates only if the object’s [SACL](https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists) has the required access control entry (ACE) to handle the use of specific access rights.

If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.