SigmaHQ/rules/windows/sysmon/sysmon_cred_dump_lsass_access.yml

title: Credentials Dumping Tools Accessing LSASS Memory
id: 32d0d3e2-e58d-4d41-926b-18b520b2b32d
status: experimental
description: Detects process access LSASS memory which is typical for credentials dumping tools
author: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov,
    oscd.community (update)
date: 2017/02/16
modified: 2019/11/08
references:
    - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow
    - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
    - http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf
tags:
    - attack.t1003
    - attack.s0002
    - attack.credential_access
    - car.2019-04-004
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        EventID: 10
        TargetImage|endswith: '\lsass.exe'
        GrantedAccess|contains:
            - '0x40'
            - '0x1000'
            - '0x1400'
            - '0x100000'
            - '0x1410'    # car.2019-04-004
            - '0x1010'    # car.2019-04-004
            - '0x1438'    # car.2019-04-004
            - '0x143a'    # car.2019-04-004
            - '0x1418'    # car.2019-04-004
            - '0x1f0fff'
            - '0x1f1fff'
            - '0x1f2fff'
            - '0x1f3fff'
    filter:
        ProcessName|endswith: # easy to bypass. need to implement supportive rule to detect bypass attempts
            - '\wmiprvse.exe'
            - '\taskmgr.exe'
            - '\procexp64.exe'
            - '\procexp.exe'
            - '\lsm.exe'
            - '\csrss.exe'
            - '\wininit.exe'
            - '\vmtoolsd.exe'
    condition: selection and not filter
fields:
    - ComputerName
    - User
    - SourceImage
falsepositives:
    - Legitimate software accessing LSASS process for legitimate reason; update the whitelist with it
level: high
Rule fixes Made tests pass the new CI tests. Added further allowed lower case words in rule test. 2020-02-20 22:00:16 +00:00			`title: Credentials Dumping Tools Accessing LSASS Memory`
UUIDs + moved unsupported logic * Added UUIDs to all contributed rules * Moved unsupported logic directory out of rules/ because this breaks CI testing. 2019-12-19 22:56:36 +00:00			`id: 32d0d3e2-e58d-4d41-926b-18b520b2b32d`
Levels to low, medium, high, critical 2017-02-16 17:02:26 +00:00			`status: experimental`
Update and rename sysmon_mimikatz_detection_lsass.yml to sysmon_cred_dump_lsass_access.yml 2019-11-07 23:05:34 +00:00			`description: Detects process access LSASS memory which is typical for credentials dumping tools`
UUIDs + moved unsupported logic * Added UUIDs to all contributed rules * Moved unsupported logic directory out of rules/ because this breaks CI testing. 2019-12-19 22:56:36 +00:00			`author: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov,`
			`oscd.community (update)`
oscd task #2 completed - new rules: + rules/windows/builtin/win_susp_lsass_dump_generic.yml + rules/windows/builtin/win_transferring_files_with_credential_data_via_ne twork_shares.yml + rules/windows/builtin/win_remote_registry_management_using_reg_utility.y ml + rules/windows/sysmon/sysmon_unsigned_image_loaded_into_lsass.yml + rules/windows/sysmon/sysmon_lsass_memory_dump_file_creation.yml + rules/windows/sysmon/sysmon_raw_disk_access_using_illegitimate_tools.yml + rules/windows/sysmon/sysmon_cred_dump_tools_dropped_files.yml + rules/windows/sysmon/sysmon_cred_dump_tools_named_pipes.yml + rules/windows/process_creation/process_creation_shadow_copies_creation.y ml + rules/windows/process_creation/process_creation_shadow_copies_deletion.y ml + rules/windows/process_creation/process_creation_copying_sensitive_files_ with_credential_data.yml + rules/windows/process_creation/process_creation_shadow_copies_access_sym link.yml + rules/windows/process_creation/process_creation_grabbing_sensitive_hives _via_reg.yml + rules/windows/process_creation/process_creation_mimikatz_command_line.ym l + rules/windows/unsupported_logic/builtin/dumping_ntds.dit_via_dcsync.yml + rules/windows/unsupported_logic/builtin/dumping_ntds.dit_via_netsync.yml .yml - updated rules: + rules/windows/builtin/win_susp_raccess_sensitive_fext.yml + rules/windows/builtin/win_mal_creddumper.yml + rules/windows/builtin/win_mal_service_installs.yml + rules/windows/process_creation/win_susp_process_creations.yml + rules/windows/sysmon/sysmon_powershell_exploit_scripts.yml + rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml - deprecated rules: + rules/windows/process_creation/win_susp_vssadmin_ntds_activity.yml 2019-11-04 01:26:34 +00:00			`date: 2017/02/16`
Update and rename sysmon_mimikatz_detection_lsass.yml to sysmon_cred_dump_lsass_access.yml 2019-11-07 23:05:34 +00:00			`modified: 2019/11/08`
Change All "str" references to be "list"to mach schema update 2018-01-27 23:24:16 +00:00			`references:`
			`- https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow`
Add detection for recent Mimikatz versions GrantedAccess is 0x1010 not 0x1410 in recent versions of mimikatz. This modification should address both 2019-06-12 09:13:31 +00:00			`- https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html`
oscd task #2 completed - new rules: + rules/windows/builtin/win_susp_lsass_dump_generic.yml + rules/windows/builtin/win_transferring_files_with_credential_data_via_ne twork_shares.yml + rules/windows/builtin/win_remote_registry_management_using_reg_utility.y ml + rules/windows/sysmon/sysmon_unsigned_image_loaded_into_lsass.yml + rules/windows/sysmon/sysmon_lsass_memory_dump_file_creation.yml + rules/windows/sysmon/sysmon_raw_disk_access_using_illegitimate_tools.yml + rules/windows/sysmon/sysmon_cred_dump_tools_dropped_files.yml + rules/windows/sysmon/sysmon_cred_dump_tools_named_pipes.yml + rules/windows/process_creation/process_creation_shadow_copies_creation.y ml + rules/windows/process_creation/process_creation_shadow_copies_deletion.y ml + rules/windows/process_creation/process_creation_copying_sensitive_files_ with_credential_data.yml + rules/windows/process_creation/process_creation_shadow_copies_access_sym link.yml + rules/windows/process_creation/process_creation_grabbing_sensitive_hives _via_reg.yml + rules/windows/process_creation/process_creation_mimikatz_command_line.ym l + rules/windows/unsupported_logic/builtin/dumping_ntds.dit_via_dcsync.yml + rules/windows/unsupported_logic/builtin/dumping_ntds.dit_via_netsync.yml .yml - updated rules: + rules/windows/builtin/win_susp_raccess_sensitive_fext.yml + rules/windows/builtin/win_mal_creddumper.yml + rules/windows/builtin/win_mal_service_installs.yml + rules/windows/process_creation/win_susp_process_creations.yml + rules/windows/sysmon/sysmon_powershell_exploit_scripts.yml + rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml - deprecated rules: + rules/windows/process_creation/win_susp_vssadmin_ntds_activity.yml 2019-11-04 01:26:34 +00:00			`- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment`
Update and rename sysmon_mimikatz_detection_lsass.yml to sysmon_cred_dump_lsass_access.yml 2019-11-07 23:05:34 +00:00			`- http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf`
added a few mitre attack tags to windows sysmon rules 2018-07-27 04:15:07 +00:00			`tags:`
ATT&CK tagging QA 2018-09-20 10:44:44 +00:00			`- attack.t1003`
added a few mitre attack tags to windows sysmon rules 2018-07-27 04:15:07 +00:00			`- attack.s0002`
			`- attack.credential_access`
First Pass 2019-06-14 04:15:38 +00:00			`- car.2019-04-004`
Added "logsource" sections and new rule 2017-02-18 23:31:59 +00:00			`logsource:`
Sysmon as 'service' of product 'windows' 2017-03-13 08:23:08 +00:00			`product: windows`
			`service: sysmon`
Levels to low, medium, high, critical 2017-02-16 17:02:26 +00:00			`detection:`
			`selection:`
Removed unneeded array 2017-10-18 13:12:29 +00:00			`EventID: 10`
Update and rename sysmon_mimikatz_detection_lsass.yml to sysmon_cred_dump_lsass_access.yml 2019-11-07 23:05:34 +00:00			`TargetImage\|endswith: '\lsass.exe'`
oscd task #2 completed - new rules: + rules/windows/builtin/win_susp_lsass_dump_generic.yml + rules/windows/builtin/win_transferring_files_with_credential_data_via_ne twork_shares.yml + rules/windows/builtin/win_remote_registry_management_using_reg_utility.y ml + rules/windows/sysmon/sysmon_unsigned_image_loaded_into_lsass.yml + rules/windows/sysmon/sysmon_lsass_memory_dump_file_creation.yml + rules/windows/sysmon/sysmon_raw_disk_access_using_illegitimate_tools.yml + rules/windows/sysmon/sysmon_cred_dump_tools_dropped_files.yml + rules/windows/sysmon/sysmon_cred_dump_tools_named_pipes.yml + rules/windows/process_creation/process_creation_shadow_copies_creation.y ml + rules/windows/process_creation/process_creation_shadow_copies_deletion.y ml + rules/windows/process_creation/process_creation_copying_sensitive_files_ with_credential_data.yml + rules/windows/process_creation/process_creation_shadow_copies_access_sym link.yml + rules/windows/process_creation/process_creation_grabbing_sensitive_hives _via_reg.yml + rules/windows/process_creation/process_creation_mimikatz_command_line.ym l + rules/windows/unsupported_logic/builtin/dumping_ntds.dit_via_dcsync.yml + rules/windows/unsupported_logic/builtin/dumping_ntds.dit_via_netsync.yml .yml - updated rules: + rules/windows/builtin/win_susp_raccess_sensitive_fext.yml + rules/windows/builtin/win_mal_creddumper.yml + rules/windows/builtin/win_mal_service_installs.yml + rules/windows/process_creation/win_susp_process_creations.yml + rules/windows/sysmon/sysmon_powershell_exploit_scripts.yml + rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml - deprecated rules: + rules/windows/process_creation/win_susp_vssadmin_ntds_activity.yml 2019-11-04 01:26:34 +00:00			`GrantedAccess\|contains:`
			`- '0x40'`
			`- '0x1000'`
			`- '0x1400'`
			`- '0x100000'`
			`- '0x1410' # car.2019-04-004`
			`- '0x1010' # car.2019-04-004`
			`- '0x1438' # car.2019-04-004`
			`- '0x143a' # car.2019-04-004`
			`- '0x1418' # car.2019-04-004`
Update sysmon_mimikatz_detection_lsass.yml 2019-11-07 01:50:22 +00:00			`- '0x1f0fff'`
			`- '0x1f1fff'`
			`- '0x1f2fff'`
			`- '0x1f3fff'`
oscd task #2 completed - new rules: + rules/windows/builtin/win_susp_lsass_dump_generic.yml + rules/windows/builtin/win_transferring_files_with_credential_data_via_ne twork_shares.yml + rules/windows/builtin/win_remote_registry_management_using_reg_utility.y ml + rules/windows/sysmon/sysmon_unsigned_image_loaded_into_lsass.yml + rules/windows/sysmon/sysmon_lsass_memory_dump_file_creation.yml + rules/windows/sysmon/sysmon_raw_disk_access_using_illegitimate_tools.yml + rules/windows/sysmon/sysmon_cred_dump_tools_dropped_files.yml + rules/windows/sysmon/sysmon_cred_dump_tools_named_pipes.yml + rules/windows/process_creation/process_creation_shadow_copies_creation.y ml + rules/windows/process_creation/process_creation_shadow_copies_deletion.y ml + rules/windows/process_creation/process_creation_copying_sensitive_files_ with_credential_data.yml + rules/windows/process_creation/process_creation_shadow_copies_access_sym link.yml + rules/windows/process_creation/process_creation_grabbing_sensitive_hives _via_reg.yml + rules/windows/process_creation/process_creation_mimikatz_command_line.ym l + rules/windows/unsupported_logic/builtin/dumping_ntds.dit_via_dcsync.yml + rules/windows/unsupported_logic/builtin/dumping_ntds.dit_via_netsync.yml .yml - updated rules: + rules/windows/builtin/win_susp_raccess_sensitive_fext.yml + rules/windows/builtin/win_mal_creddumper.yml + rules/windows/builtin/win_mal_service_installs.yml + rules/windows/process_creation/win_susp_process_creations.yml + rules/windows/sysmon/sysmon_powershell_exploit_scripts.yml + rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml - deprecated rules: + rules/windows/process_creation/win_susp_vssadmin_ntds_activity.yml 2019-11-04 01:26:34 +00:00			`filter:`
Update and rename sysmon_mimikatz_detection_lsass.yml to sysmon_cred_dump_lsass_access.yml 2019-11-07 23:05:34 +00:00			`ProcessName\|endswith: # easy to bypass. need to implement supportive rule to detect bypass attempts`
			`- '\wmiprvse.exe'`
			`- '\taskmgr.exe'`
			`- '\procexp64.exe'`
			`- '\procexp.exe'`
			`- '\lsm.exe'`
			`- '\csrss.exe'`
			`- '\wininit.exe'`
			`- '\vmtoolsd.exe'`
oscd task #2 completed - new rules: + rules/windows/builtin/win_susp_lsass_dump_generic.yml + rules/windows/builtin/win_transferring_files_with_credential_data_via_ne twork_shares.yml + rules/windows/builtin/win_remote_registry_management_using_reg_utility.y ml + rules/windows/sysmon/sysmon_unsigned_image_loaded_into_lsass.yml + rules/windows/sysmon/sysmon_lsass_memory_dump_file_creation.yml + rules/windows/sysmon/sysmon_raw_disk_access_using_illegitimate_tools.yml + rules/windows/sysmon/sysmon_cred_dump_tools_dropped_files.yml + rules/windows/sysmon/sysmon_cred_dump_tools_named_pipes.yml + rules/windows/process_creation/process_creation_shadow_copies_creation.y ml + rules/windows/process_creation/process_creation_shadow_copies_deletion.y ml + rules/windows/process_creation/process_creation_copying_sensitive_files_ with_credential_data.yml + rules/windows/process_creation/process_creation_shadow_copies_access_sym link.yml + rules/windows/process_creation/process_creation_grabbing_sensitive_hives _via_reg.yml + rules/windows/process_creation/process_creation_mimikatz_command_line.ym l + rules/windows/unsupported_logic/builtin/dumping_ntds.dit_via_dcsync.yml + rules/windows/unsupported_logic/builtin/dumping_ntds.dit_via_netsync.yml .yml - updated rules: + rules/windows/builtin/win_susp_raccess_sensitive_fext.yml + rules/windows/builtin/win_mal_creddumper.yml + rules/windows/builtin/win_mal_service_installs.yml + rules/windows/process_creation/win_susp_process_creations.yml + rules/windows/sysmon/sysmon_powershell_exploit_scripts.yml + rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml - deprecated rules: + rules/windows/process_creation/win_susp_vssadmin_ntds_activity.yml 2019-11-04 01:26:34 +00:00			`condition: selection and not filter`
OSCD QA wave 1 * Checked all rules against Mordor and EVTX samples datasets * Added field names * Some severity adjustments * Fixes 2020-01-10 23:11:27 +00:00			`fields:`
			`- ComputerName`
			`- User`
			`- SourceImage`
Levels to low, medium, high, critical 2017-02-16 17:02:26 +00:00			`falsepositives:`
oscd task #2 completed - new rules: + rules/windows/builtin/win_susp_lsass_dump_generic.yml + rules/windows/builtin/win_transferring_files_with_credential_data_via_ne twork_shares.yml + rules/windows/builtin/win_remote_registry_management_using_reg_utility.y ml + rules/windows/sysmon/sysmon_unsigned_image_loaded_into_lsass.yml + rules/windows/sysmon/sysmon_lsass_memory_dump_file_creation.yml + rules/windows/sysmon/sysmon_raw_disk_access_using_illegitimate_tools.yml + rules/windows/sysmon/sysmon_cred_dump_tools_dropped_files.yml + rules/windows/sysmon/sysmon_cred_dump_tools_named_pipes.yml + rules/windows/process_creation/process_creation_shadow_copies_creation.y ml + rules/windows/process_creation/process_creation_shadow_copies_deletion.y ml + rules/windows/process_creation/process_creation_copying_sensitive_files_ with_credential_data.yml + rules/windows/process_creation/process_creation_shadow_copies_access_sym link.yml + rules/windows/process_creation/process_creation_grabbing_sensitive_hives _via_reg.yml + rules/windows/process_creation/process_creation_mimikatz_command_line.ym l + rules/windows/unsupported_logic/builtin/dumping_ntds.dit_via_dcsync.yml + rules/windows/unsupported_logic/builtin/dumping_ntds.dit_via_netsync.yml .yml - updated rules: + rules/windows/builtin/win_susp_raccess_sensitive_fext.yml + rules/windows/builtin/win_mal_creddumper.yml + rules/windows/builtin/win_mal_service_installs.yml + rules/windows/process_creation/win_susp_process_creations.yml + rules/windows/sysmon/sysmon_powershell_exploit_scripts.yml + rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml - deprecated rules: + rules/windows/process_creation/win_susp_vssadmin_ntds_activity.yml 2019-11-04 01:26:34 +00:00			`- Legitimate software accessing LSASS process for legitimate reason; update the whitelist with it`
Update sysmon_mimikatz_detection_lsass.yml 2019-11-07 01:33:40 +00:00			`level: high`