LSASS Memory Dump Handle Accessedit

Identifies handle requests for the Local Security Authority Subsystem Service (LSASS) object access with specific access masks that many tools with a capability to dump memory to disk use (0x1fffff, 0x1010, 0x120089). This rule is tool agnostic as it has been validated against a host of various LSASS dump tools such as SharpDump, Procdump, Mimikatz, Comsvcs etc. It detects this behavior at a low level and does not depend on a specific tool or dump file name.

Rule type: eql

Rule indices:

  • winlogbeat-*
  • logs-system.*

Severity: high

Risk score: 73

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100



  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Credential Access

Version: 1

Rule authors:

  • Elastic

Rule license: Elastic License v2

Investigation guideedit

## Triage and analysis

### Investigating LSASS Memory Dump Handle Access

Local Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible
for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles
password changes, and creates access tokens.

Adversaries may attempt to access credential material stored in LSASS process memory. After a user logs on,the system
generates and stores a variety of credential materials in LSASS process memory. This is meant to facilitate single
sign-on (SSO) ensuring a user isn’t prompted each time resource access is requested. These credential materials can be
harvested by an adversary using administrative user or SYSTEM privileges to conduct lateral movement using
[alternate authentication material](

#### Possible investigation steps

- Investigate the process execution chain (parent process tree).
- Investigate other alerts associated with the user/host during the past 48 hours.
- Validate the correct install path for the process that triggered this detection.

### False positive analysis

- There should be very few if any false positives for this rule. However, it may be tripped by antivirus or endpoint detection and response solutions;
check whether these solutions are installed on the correct paths.

### Response and remediation

- Initiate the incident response process based on the outcome of the triage.
- Isolate the involved host to prevent further post-compromise behavior.
- Scope compromised credentials and disable the accounts.
- Reset passwords for the user account and other potentially compromised accounts (email, services, CRMs, etc.).

## Config

Ensure advanced audit policies for Windows are enabled, specifically:
Object Access policies [Event ID 4656]( (Handle to an Object was Requested)

Computer Configuration >
Policies >
Windows Settings >
Security Settings >
Advanced Audit Policies Configuration >
System Audit Policies >
Object Access >
Audit File System (Success,Failure)
Audit Handle Manipulation (Success,Failure)

Also, this event generates only if the object’s [SACL]( has the required access control entry (ACE) to handle the use of specific access rights.

If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.

Rule queryedit

any where event.action == "File System" and event.code == "4656" and

    winlog.event_data.ObjectName : (
        "\\Device\\HarddiskVolume??\\Windows\\System32\\lsass.exe") and

    /* The right to perform an operation controlled by an extended access right. */

    (winlog.event_data.AccessMask : ("0x1fffff" , "0x1010", "0x120089", "0x1F3FFF") or
     winlog.event_data.AccessMaskDescription : ("READ_CONTROL", "Read from process memory"))

     /* Common Noisy False Positives */

    and not winlog.event_data.ProcessName : (
        "?:\\Program Files\\*.exe",
        "?:\\Program Files (x86)\\*.exe",
        "?:\\ProgramData\\Microsoft\\Windows Defender\\*.exe",