/
windows_hunting_system_account_targeting_lsass.yml
73 lines (73 loc) · 2.94 KB
/
windows_hunting_system_account_targeting_lsass.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
name: Windows Hunting System Account Targeting Lsass
id: 1c6abb08-73d1-11ec-9ca0-acde48001122
version: 1
date: '2023-12-27'
author: Michael Haag, Splunk
status: production
type: Hunting
description: The following hunting analytic identifies all processes requesting access
into Lsass.exe. his behavior may be related to credential dumping or applications
requiring access to credentials. Triaging this event will require understanding
the GrantedAccess from the SourceImage. In addition, whether the account is privileged
or not. Review the process requesting permissions and review parallel processes.
data_source:
- Sysmon EventID 10
search: '`sysmon` EventCode=10 TargetImage=*lsass.exe | stats count min(_time) as
firstTime max(_time) as lastTime by dest, TargetImage, GrantedAccess, SourceImage,
SourceProcessId, SourceUser, TargetUser | `security_content_ctime(firstTime)` |
`security_content_ctime(lastTime)` | `windows_hunting_system_account_targeting_lsass_filter`'
how_to_implement: To successfully implement this search, you need to be ingesting
logs with the process name, parent process, and command-line executions from your
endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the
Sysmon TA. Enabling EventCode 10 TargetProcess lsass.exe is required.
known_false_positives: False positives will occur based on GrantedAccess and SourceUser,
filter based on source image as needed. Utilize this hunting analytic to tune out
false positives in TTP or anomaly analytics.
references:
- https://en.wikipedia.org/wiki/Local_Security_Authority_Subsystem_Service
- https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump
- https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
- https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1
- https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights?redirectedfrom=MSDN
tags:
analytic_story:
- CISA AA23-347A
- Credential Dumping
asset_type: Endpoint
confidence: 80
impact: 80
message: A process, $SourceImage$, has requested access to LSASS on $dest$. Review
for further details.
mitre_attack_id:
- T1003.001
- T1003
observable:
- name: dest
type: Hostname
role:
- Victim
- name: SourceImage
type: Process
role:
- Child Process
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- dest
- TargetImage
- GrantedAccess
- SourceImage
- SourceProcessId
- SourceUser
- TargetUser
risk_score: 64
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon_creddump.log
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog