LSASS Memory Dump Handle Access

edit

Identifies handle requests for the Local Security Authority Subsystem Service (LSASS) object access with specific access masks that many tools with a capability to dump memory to disk use (0x1fffff, 0x1010, 0x120089). This rule is tool agnostic as it has been validated against a host of various LSASS dump tools such as SharpDump, Procdump, Mimikatz, Comsvcs etc. It detects this behavior at a low level and does not depend on a specific tool or dump file name.

Rule type: eql

Rule indices:

  • winlogbeat-*
  • logs-system.*

Severity: high

Risk score: 73

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Credential Access

Version: 1

Added (Elastic Stack release): 8.2.0

Rule authors: Elastic

Rule license: Elastic License v2

Investigation guide

edit
## Triage and analysis

### Investigating LSASS Memory Dump Handle Access

Local Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible
for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles
password changes, and creates access tokens.

Adversaries may attempt to access credential material stored in LSASS process memory. After a user logs on,the system
generates and stores a variety of credential materials in LSASS process memory. This is meant to facilitate single
sign-on (SSO) ensuring a user isn’t prompted each time resource access is requested. These credential materials can be
harvested by an adversary using administrative user or SYSTEM privileges to conduct lateral movement using
[alternate authentication material](https://attack.mitre.org/techniques/T1550/).

#### Possible investigation steps

- Investigate the process execution chain (parent process tree).
- Investigate other alerts associated with the user/host during the past 48 hours.
- Validate the correct install path for the process that triggered this detection.

### False positive analysis

- There should be very few if any false positives for this rule. However, it may be tripped by antivirus or endpoint detection and response solutions;
check whether these solutions are installed on the correct paths.

### Response and remediation

- Initiate the incident response process based on the outcome of the triage.
- Isolate the involved host to prevent further post-compromise behavior.
- Scope compromised credentials and disable the accounts.
- Reset passwords for the user account and other potentially compromised accounts (email, services, CRMs, etc.).

## Config

Ensure advanced audit policies for Windows are enabled, specifically:
Object Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)

```
Computer Configuration >
Policies >
Windows Settings >
Security Settings >
Advanced Audit Policies Configuration >
System Audit Policies >
Object Access >
Audit File System (Success,Failure)
Audit Handle Manipulation (Success,Failure)
```

Also, this event generates only if the object’s [SACL](https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists) has the required access control entry (ACE) to handle the use of specific access rights.

If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.

Rule query

edit
any where event.action == "File System" and event.code == "4656" and
winlog.event_data.ObjectName : (
"?:\\Windows\\System32\\lsass.exe",
"\\Device\\HarddiskVolume?\\Windows\\System32\\lsass.exe",
"\\Device\\HarddiskVolume??\\Windows\\System32\\lsass.exe") and
/* The right to perform an operation controlled by an extended access
right. */ (winlog.event_data.AccessMask : ("0x1fffff" , "0x1010",
"0x120089", "0x1F3FFF") or
winlog.event_data.AccessMaskDescription : ("READ_CONTROL", "Read from
process memory")) /* Common Noisy False Positives */ and
not winlog.event_data.ProcessName : ( "?:\\Program
Files\\*.exe", "?:\\Program Files (x86)\\*.exe",
"?:\\Windows\\system32\\wbem\\WmiPrvSE.exe",
"?:\\Windows\\System32\\dllhost.exe",
"?:\\Windows\\System32\\svchost.exe",
"?:\\Windows\\System32\\msiexec.exe",
"?:\\ProgramData\\Microsoft\\Windows Defender\\*.exe",
"?:\\Windows\\explorer.exe")

Threat mapping

edit

Framework: MITRE ATT&CKTM