forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathdetect_credential_dumping_through_LSASS_access.yml
More file actions
99 lines (99 loc) · 3.62 KB
/
detect_credential_dumping_through_LSASS_access.yml
File metadata and controls
99 lines (99 loc) · 3.62 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
asset_type: Windows
confidence: medium
creation_date: '2018-08-28'
data_metadata:
data_eventtypes:
- wineventlog_sysmon
data_source:
- Windows Event Logs
providing_technologies:
- Microsoft Windows
description: This search looks for reading lsass memory consistent with credential dumping.
detect:
splunk:
correlation_rule:
notable:
nes_fields: user, dest
rule_description: Possible attempt at credential dumping was detected on $dest$.
rule_title: Detect reading lsass memory on $dest$.
risk:
risk_object: dest
risk_object_type:
- system
risk_score: 40
macros:
- sysmon
- detect_credential_dumping_through_LSASS_access_filter
schedule:
cron_schedule: 0 * * * *
earliest_time: -70m@m
latest_time: -10m@m
search: '`sysmon` EventCode=10 TargetImage=*lsass.exe (GrantedAccess=0x1010 OR GrantedAccess=0x1410)
| stats count min(_time) as firstTime max(_time) as lastTime by Computer, SourceImage, SourceProcessId, TargetImage, TargetProcessId, EventCode, GrantedAccess
| rename Computer as dest
| `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`
| `detect_credential_dumping_through_LSASS_access_filter`'
suppress:
suppress_fields: user, dest, ProcessName
suppress_period: 86400s
eli5: This search looks for LSASS access using Credential Dumping tools by detecting Process access with
Sysmon logs (EventCode 10), TargetImage lsass.exe and GrantedAccess 0x1410 or 0x1010.
This will for example detect the use of sekurlsa::logonpasswords in Mimikatz.
entities:
- dest
how_to_implement: 'This search needs Sysmon Logs and a sysmon configuration, which includes EventCode 10 with lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.'
id: 2c365e57-4414-4540-8dc0-73ab10729996
investigations:
- id: 5de385bf-4f1e-404e-9b67-92d162ff8938ad
name: Investigate Previous Unseen User
type: splunk
- id: 097e8030-8662-4254-a735-bf0bdda696e3
name: Investigate Failed Logins for Multiple Destinations
type: splunk
- id: ed3fff45-cba6-4990-983f-6fac72bee659
name: Investigate Pass the Hash Attempts
type: splunk
- id: 990007ad-d798-4b29-ab2f-f0034144c937
name: Investigate Pass the Ticket Attempts
type: splunk
known_false_positives: The activity may be legitimate. Other tools can access lsass
for legitimate reasons, and it's possible this event could be generated
in those cases. In these cases, false positives should be fairly obvious and you
may need to tweak the search to eliminate noise.
maintainers:
- company: Splunk
email: rvaldez@splunk.com
name: Rico Valdez
- company: Splunk
email: pbareiss@splunk.com
name: Patrick Bareiss
mappings:
cis20:
- CIS 3
- CIS 5
- CIS 16
kill_chain_phases:
- Actions on Objectives
mitre_attack:
- Credential Access
- Credential Dumping
mitre_technique_id:
- T1003
nist:
- PR.IP
- PR.AC
- DE.CM
modification_date: '2019-12-03'
name: Detect Credential Dumping through LSASS access
original_authors:
- company: Splunk
email: rvaldez@splunk.com
name: Rico Valdez
- company: Splunk
email: pbareiss@splunk.com
name: Patrick Bareiss
references: []
security_domain: endpoint
spec_version: 2
type: splunk
version: "3"