security-content/detections/create_remote_thread_into_lsass.yml at develop · jwindley-splunk/security-content · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
asset_type: Windows
confidence: high
creation_date: '2019-12-06'
data_metadata:
  data_eventtypes:
    - wineventlog_sysmon
  data_source:
    - Windows Event Logs
  providing_technologies:
    - Microsoft Windows
description: Detect remote thread creation into LSASS consistent with credential dumping.
detect:
  splunk:
    correlation_rule:
      notable:
        nes_fields: dest
        rule_description: Possible attempt at credential dumping was detected on $dest$.
        rule_title: remote thread creation into LSASS on $dest$.
      risk:
        risk_object: dest
        risk_object_type:
          - system
        risk_score: 70
      macros:
        - sysmon
        - create_remote_thread_into_lsass_filter
      schedule:
        cron_schedule: 0 * * * *
        earliest_time: -70m@m
        latest_time: -10m@m
      search: '`sysmon` EventID=8 TargetImage=*lsass.exe
        | stats count min(_time) as firstTime max(_time) as lastTime by Computer, EventCode, TargetImage, TargetProcessId
        | rename Computer as dest
        | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` |`create_remote_thread_into_lsass_filter`'
      suppress:
        suppress_fields: dest, TargetProcessId
        suppress_period: 86400s
eli5: This search detects the creation of a remote thread into LSASS (Local Security Authority Subsystem Service).
  This technique can be used by attackers to inject code into LSASS and dump the memory in order to obtain credentials.
entities:
  - dest
how_to_implement: 'This search needs Sysmon Logs with a Sysmon configuration, which includes EventCode 8 with lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.'
id: 67d4dbef-9564-4699-8da8-03a151529edc
investigations:
  - id: 5de385bf-4f1e-404e-9b67-92d162ff8938ad
    name: Investigate Previous Unseen User
    type: splunk
  - id: 097e8030-8662-4254-a735-bf0bdda696e3
    name: Investigate Failed Logins for Multiple Destinations
    type: splunk
  - id: ed3fff45-cba6-4990-983f-6fac72bee659
    name: Investigate Pass the Hash Attempts
    type: splunk
  - id: 990007ad-d798-4b29-ab2f-f0034144c937
    name: Investigate Pass the Ticket Attempts
    type: splunk
known_false_positives: Other tools can access LSASS for legitimate reasons and generate an event. In these cases, tweaking the search may help eliminate noise.
maintainers:
  - company: Splunk
    email: pbareiss@splunk.com
    name: Patrick Bareiss
mappings:
  cis20:
    - CIS 8
    - CIS 16
  kill_chain_phases:
    - Actions on Objectives
  mitre_technique_id:
    - T1003
  mitre_attack:
    - Credential Access
    - Credential Dumping
  nist:
    - DE.CM
modification_date: '2019-12-06'
name: Create Remote Thread into LSASS
original_authors:
  - company: Splunk
    email: pbareiss@splunk.com
    name: Patrick Bareiss
references:
  - https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf
security_domain: endpoint
spec_version: 2
type: splunk
version: "1"