[New Rule] Lsass Process Access - Generic #2613

Samirbous · 2023-03-02T13:21:17Z

using Elastic 8.7 endpoint OpenProcess api events :

any where event.category  == "api" and 
 process.Ext.api.name in ("OpenProcess", "OpenThread") and  Target.process.name == "lsass.exe" and

Event example :

{
  "_index": ".ds-logs-endpoint.events.api-default-2023.03.02-000001",
  "_id": "lV9rooYBV0oJWcxQo5xn",
  "_score": 1,
  "fields": {
    "host.os.full.text": [
      "Windows Server 2016 Datacenter 1607 (10.0.14393.4467)"
    ],
    "event.category": [
      "api"
    ],
    "process.name.text": [
      "nanodump.x64.exe"
    ],
    "host.os.name.text": [
      "Windows"
    ],
    "host.os.full": [
      "Windows Server 2016 Datacenter 1607 (10.0.14393.4467)"
    ],
    "host.hostname": [
      "01566s-win16-ir"
    ],
    "process.pid": [
      4984
    ],
    "Target.process.pid": [
      724
    ],
    "host.mac": [
      "00:50:56:24:6c:d2"
    ],
    "elastic.agent.id": [
      "39b71dca-3f91-4026-95f1-27fbafaf93b1"
    ],
    "process.thread.Ext.call_stack_contains_unbacked": [
      false
    ],
    "host.os.version": [
      "1607 (10.0.14393.4467)"
    ],
    "host.os.name": [
      "Windows"
    ],
    "host.name": [
      "01566s-win16-ir"
    ],
    "event.agent_id_status": [
      "verified"
    ],
    "event.kind": [
      "event"
    ],
    "event.outcome": [
      "unknown"
    ],
    "process.thread.Ext.call_stack.instruction_pointer": [
      "140702776694495",
      "140702776697750",
      "140702776705210",
      "140702776693697",
      "140702776694006",
      "140722816189652",
      "140722853255041"
    ],
    "host.os.type": [
      "windows"
    ],
    "user.id": [
      "S-1-5-21-308926384-506822093-3341789130-1105"
    ],
    "process.Ext.ancestry": [
      "MzliNzFkY2EtM2Y5MS00MDI2LTk1ZjEtMjdmYmFmYWY5M2IxLTQ3NjQtMTY3Nzc2MTEwMC4xMzIxMjAxMDA=",
      "MzliNzFkY2EtM2Y5MS00MDI2LTk1ZjEtMjdmYmFmYWY5M2IxLTkyMzItMTY3Nzc2MDc4NS4yMjc0MTQxMDA=",
      "MzliNzFkY2EtM2Y5MS00MDI2LTk1ZjEtMjdmYmFmYWY5M2IxLTkyMC0xNjc3NzYwMzkxLjc1NjEyMjAwMA==",
      "MzliNzFkY2EtM2Y5MS00MDI2LTk1ZjEtMjdmYmFmYWY5M2IxLTcwOC0xNjc3NzYwMzg4Ljk3MzQ5MTMwMA==",
      "MzliNzFkY2EtM2Y5MS00MDI2LTk1ZjEtMjdmYmFmYWY5M2IxLTU2OC0xNjc3NzYwMzg4LjczMTIwNzMwMA=="
    ],
    "process.Ext.api.parameters.desired_access": [
      "PROCESS_QUERY_INFORMATION",
      "PROCESS_QUERY_LIMITED_INFORMATION",
      "PROCESS_VM_READ"
    ],
    "data_stream.type": [
      "logs"
    ],
    "host.architecture": [
      "x86_64"
    ],
    "process.name": [
      "nanodump.x64.exe"
    ],
    "agent.id": [
      "39b71dca-3f91-4026-95f1-27fbafaf93b1"
    ],
    "ecs.version": [
      "1.11.0"
    ],
    "event.created": [
      "2023-03-02T13:03:20.247Z"
    ],
    "agent.version": [
      "8.7.0"
    ],
    "host.os.family": [
      "windows"
    ],
    "process.thread.id": [
      6056
    ],
    "user.name": [
      "jbrown"
    ],
    "process.Ext.api.name": [
      "OpenProcess"
    ],
    "process.entity_id": [
      "MzliNzFkY2EtM2Y5MS00MDI2LTk1ZjEtMjdmYmFmYWY5M2IxLTQ5ODQtMTY3Nzc2MjIwMC4yNDcwMDUwMDA="
    ],
    "process.executable.caseless": [
      "c:\\users\\public\\nanodump.x64.exe"
    ],
    "host.ip": [
      "172.16.66.36",
      "127.0.0.1",
      "::1",
      "fe80::ffff:ffff:fffe",
      "fe80::5efe:ac10:4224"
    ],
    "event.sequence": [
      37398
    ],
    "agent.type": [
      "endpoint"
    ],
    "process.executable.text": [
      "C:\\Users\\Public\\nanodump.x64.exe"
    ],
    "event.module": [
      "endpoint"
    ],
    "host.os.kernel": [
      "1607 (10.0.14393.4467)"
    ],
    "host.os.full.caseless": [
      "windows server 2016 datacenter 1607 (10.0.14393.4467)"
    ],
    "user.domain": [
      "3B"
    ],
    "process.name.caseless": [
      "nanodump.x64.exe"
    ],
    "host.id": [
      "83989f29-8447-4b3c-a54b-4a0f7e5a4872"
    ],
    "process.executable": [
      "C:\\Users\\Public\\nanodump.x64.exe"
    ],
    "process.Ext.api.parameters.handle_type": [
      "process"
    ],
    "Target.process.name.caseless": [
      "lsass.exe"
    ],
    "data_stream.namespace": [
      "default"
    ],
    "Target.process.name.text": [
      "lsass.exe"
    ],
    "process.thread.Ext.call_stack.module_path": [
      "C:\\Users\\Public\\nanodump.x64.exe",
      "C:\\Users\\Public\\nanodump.x64.exe",
      "C:\\Users\\Public\\nanodump.x64.exe",
      "C:\\Users\\Public\\nanodump.x64.exe",
      "C:\\Users\\Public\\nanodump.x64.exe",
      "C:\\Windows\\System32\\kernel32.dll",
      "C:\\Windows\\System32\\ntdll.dll"
    ],
    "message": [
      "Endpoint Credential Access event"
    ],
    "process.thread.Ext.call_stack_final_user_module": [
      {
        "path": [
          "C:\\Users\\Public\\nanodump.x64.exe"
        ]
      }
    ],
    "host.os.Ext.variant": [
      "Windows Server 2016 Datacenter"
    ],
    "event.ingested": [
      "2023-03-02T13:03:28Z"
    ],
    "@timestamp": [
      "2023-03-02T13:03:20.247Z"
    ],
    "host.os.platform": [
      "windows"
    ],
    "data_stream.dataset": [
      "endpoint.events.api"
    ],
    "event.type": [
      "access"
    ],
    "process.Ext.api.parameters.desired_access_numeric": [
      5136
    ],
    "event.id": [
      "N+0LdfhWYmXMIih5+++++HFs"
    ],
    "Target.process.name": [
      "lsass.exe"
    ],
    "host.os.name.caseless": [
      "windows"
    ],
    "event.dataset": [
      "endpoint.events.api"
    ],
    "user.name.text": [
      "jbrown"
    ]
  }
}

rules/windows/credential_access_lsass_openprocess_api.toml

terrancedejesus · 2023-03-02T15:36:55Z

So these are win32 API names we can specify rather than relying on event.code? When I looked at the PR, I started to ask why not include common APIs used for dumping such as PssCaptureSnapShot or MiniDumpWriteDump where we have existing rules covering this or do we keep this rule more generic.

Example: https://www.elastic.co/guide/en/security/master/potential-lsass-memory-dump-via-psscapturesnapshot.html

terrancedejesus

Left some comments, questions and suggestions. To avoid blockage, I am approving as the existing logic seems fine for a generic detection approach. Feel free to adjust or not based on your expertise 😄

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

Samirbous · 2023-03-04T12:45:06Z

So these are win32 API names we can specify rather than relying on event.code? When I looked at the PR, I started to ask why not include common APIs used for dumping such as PssCaptureSnapShot or MiniDumpWriteDump where we have existing rules covering this or do we keep this rule more generic.

Example: https://www.elastic.co/guide/en/security/master/potential-lsass-memory-dump-via-psscapturesnapshot.html

the api where target is lsass should capture them all (it trigger on any process handle with lsass being the process.name).

w0rk3r

🔥 🧙🏼

rules/windows/credential_access_lsass_openprocess_api.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Create credential_access_lsass_openprocess_api.toml * Update credential_access_lsass_openprocess_api.toml * Update credential_access_lsass_openprocess_api.toml * Update non-ecs-schema.json * Update rules/windows/credential_access_lsass_openprocess_api.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update rules/windows/credential_access_lsass_openprocess_api.toml Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> * Update rules/windows/credential_access_lsass_openprocess_api.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update rules/windows/credential_access_lsass_openprocess_api.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/credential_access_lsass_openprocess_api.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/credential_access_lsass_openprocess_api.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update credential_access_lsass_openprocess_api.toml * Update non-ecs-schema.json --------- Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> (cherry picked from commit 51d50b7)

Create credential_access_lsass_openprocess_api.toml

9fb3f79

Samirbous added Rule: New Proposal for new rule OS: Windows windows related rules v8.7.0 labels Mar 2, 2023

Samirbous self-assigned this Mar 2, 2023

botelastic bot added the Domain: Endpoint label Mar 2, 2023

Samirbous requested a review from w0rk3r March 2, 2023 13:21

github-actions bot added the backport: auto label Mar 2, 2023

Samirbous requested review from brokensound77 and terrancedejesus March 2, 2023 13:21

Samirbous added 3 commits March 2, 2023 13:53

Update credential_access_lsass_openprocess_api.toml

37ec006

Update credential_access_lsass_openprocess_api.toml

7a19783

Update non-ecs-schema.json

6597ceb

Samirbous requested a review from Mikaayenson as a code owner March 2, 2023 14:18

brokensound77 reviewed Mar 2, 2023

View reviewed changes

rules/windows/credential_access_lsass_openprocess_api.toml Outdated Show resolved Hide resolved

rules/windows/credential_access_lsass_openprocess_api.toml Outdated Show resolved Hide resolved

rules/windows/credential_access_lsass_openprocess_api.toml Show resolved Hide resolved

terrancedejesus reviewed Mar 2, 2023

View reviewed changes

rules/windows/credential_access_lsass_openprocess_api.toml Outdated Show resolved Hide resolved

terrancedejesus reviewed Mar 2, 2023

View reviewed changes

rules/windows/credential_access_lsass_openprocess_api.toml Outdated Show resolved Hide resolved

terrancedejesus approved these changes Mar 2, 2023

View reviewed changes

Mikaayenson and others added 4 commits March 3, 2023 06:44

Merge branch 'main' into lsass-endpoint

863d546

Update rules/windows/credential_access_lsass_openprocess_api.toml

614ce26

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

Update rules/windows/credential_access_lsass_openprocess_api.toml

730a13f

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

Update rules/windows/credential_access_lsass_openprocess_api.toml

f7a43b4

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

Samirbous requested a review from brokensound77 March 4, 2023 12:42

w0rk3r approved these changes Mar 5, 2023

View reviewed changes

rules/windows/credential_access_lsass_openprocess_api.toml Outdated Show resolved Hide resolved

rules/windows/credential_access_lsass_openprocess_api.toml Outdated Show resolved Hide resolved

rules/windows/credential_access_lsass_openprocess_api.toml Outdated Show resolved Hide resolved

w0rk3r and others added 4 commits March 5, 2023 16:06

Merge branch 'main' into lsass-endpoint

be90ae0

Update rules/windows/credential_access_lsass_openprocess_api.toml

4d24e1d

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

Update rules/windows/credential_access_lsass_openprocess_api.toml

c2f76af

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

Update rules/windows/credential_access_lsass_openprocess_api.toml

674a73c

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

w0rk3r and others added 8 commits March 7, 2023 10:35

Merge branch 'main' into lsass-endpoint

56fc775

Merge branch 'main' into lsass-endpoint

8261aaa

Merge branch 'main' into lsass-endpoint

f68191c

Merge branch 'main' into lsass-endpoint

87cea3e

Merge branch 'main' into lsass-endpoint

9e08f2f

Merge branch 'main' into lsass-endpoint

2594a07

Update credential_access_lsass_openprocess_api.toml

3397897

Update non-ecs-schema.json

f3172ad

Samirbous merged commit 51d50b7 into main Apr 3, 2023

Samirbous deleted the lsass-endpoint branch April 3, 2023 13:34

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[New Rule] Lsass Process Access - Generic #2613

[New Rule] Lsass Process Access - Generic #2613

Uh oh!

Samirbous commented Mar 2, 2023

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

terrancedejesus commented Mar 2, 2023

Uh oh!

terrancedejesus left a comment

Uh oh!

Samirbous commented Mar 4, 2023 •

edited

Loading

Uh oh!

w0rk3r left a comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants

[New Rule] Lsass Process Access - Generic #2613

[New Rule] Lsass Process Access - Generic #2613

Uh oh!

Conversation

Samirbous commented Mar 2, 2023

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

terrancedejesus commented Mar 2, 2023

Uh oh!

terrancedejesus left a comment

Choose a reason for hiding this comment

Uh oh!

Samirbous commented Mar 4, 2023 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

w0rk3r left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants

Samirbous commented Mar 4, 2023 •

edited

Loading