search

elastic / detection-rules

https://www.elastic.co/guide/en/security/current/detection-engine-overview.html
Other
1.98k stars 505 forks source link

[Rule Tuning] LSASS Memory Dump Creation #3756

Closed ar3diu closed 3 months ago

ar3diu commented 5 months ago

Link to rule

https://github.com/elastic/detection-rules/blob/5f36f3a03eab0b0f129477b4c33b4291d4d11126/rules/windows/credential_access_lsass_memdump_file_created.toml

Description

WerFaultSecure.exe should also be added to the last exclusion in the rule query:

  not (
        process.executable : ("?:\\Windows\\system32\\WerFault.exe", "?:\\Windows\\System32\\WerFaultSecure.exe") and
        file.path : (
          "?:\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\CrashDumps\\lsass.exe.*.dmp",
          "?:\\Windows\\System32\\%LOCALAPPDATA%\\CrashDumps\\lsass.exe.*.dmp"
        )
  )

Example Data

{ "_index": ".internal.alerts-security.alerts-redacted-000043", "_id": "cb4d38065ee5a7ce276507367a914971e36754f3c2b361c7655b2511897182e5", "_score": 2, "_source": { "kibana.alert.start": "2024-06-05T07:27:53.936Z", "kibana.alert.last_detected": "2024-06-05T07:27:53.936Z", "kibana.version": "8.13.4", "kibana.alert.rule.parameters": {}, "kibana.alert.rule.category": "Event Correlation Rule", "kibana.alert.rule.consumer": "siem", "kibana.alert.rule.execution.uuid": "09875dae-331d-4ab0-81f6-0d58cea7e0bb", "kibana.alert.rule.name": "LSASS Memory Dump Creation", "kibana.alert.rule.producer": "siem", "kibana.alert.rule.revision": 109, "kibana.alert.rule.rule_type_id": "siem.eqlRule", "kibana.alert.rule.uuid": "a78a1331-8f12-11ec-ae5e-0d4dcb720975", "kibana.space_ids": [ "redacted" ], "kibana.alert.rule.tags": [], "@timestamp": "2024-06-05T07:27:53.862Z", "agent": { "id": "3337a3b0-a2a1-47dd-ad07-04821959cfcb", "type": "endpoint", "version": "8.13.4" }, "process": { "Ext": { "ancestry": [ "MzMzN2EzYjAtYTJhMS00N2RkLWFkMDctMDQ4MjE5NTljZmNiLTE2MTYtMTcxNzU3MTIzMi41NzI4NTIwMA==", "MzMzN2EzYjAtYTJhMS00N2RkLWFkMDctMDQ4MjE5NTljZmNiLTE1MTYtMTcxNzU3MTIzMS45MTA3OTIxMDA=" ], "code_signature": [ { "trusted": true, "subject_name": "Microsoft Windows Publisher", "exists": true, "status": "trusted" } ] }, "parent": { "pid": 1616 }, "code_signature": { "trusted": true, "subject_name": "Microsoft Windows Publisher", "exists": true, "status": "trusted" }, "name": "WerFaultSecure.exe", "pid": 12004, "thread": { "id": 12008 }, "entity_id": "MzMzN2EzYjAtYTJhMS00N2RkLWFkMDctMDQ4MjE5NTljZmNiLTEyMDA0LTE3MTc1NzIxNDYuNTM3NTg0ODAw", "executable": "C:\\Windows\\System32\\WerFaultSecure.exe" }, "message": "Endpoint file event", "tags": [ "beats_input_codec_plain_applied" ], "file": { "Ext": { "header_data": [], "entropy": 7.79167734784024, "header_bytes": "f30e3ea171d5af4e9fbbf80d0b19a3c0", "windows": { "zone_identifier": -1 } }, "path": "C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\CrashDumps\\lsass.exe.1616.protected.dmp", "extension": "dmp", "size": 1545115, "name": "lsass.exe.1616.protected.dmp" }, "ecs": { "version": "8.10.0" }, "data_stream": { "namespace": "redacted", "type": "logs", "dataset": "endpoint.events.file" }, "@version": "1", "host": { "hostname": "redacted", "os": { "Ext": { "variant": "Windows 11 Pro" }, "kernel": "23H2 (10.0.22631.3593)", "name": "Windows", "family": "windows", "type": "windows", "version": "23H2 (10.0.22631.3593)", "platform": "windows", "full": "Windows 11 Pro 23H2 (10.0.22631.3593)" }, "ip": [ "redacted" ], "name": "redacted", "id": "c7989b7d-52cd-4121-b4b6-fdc4f1e31e67", "mac": [ "redacted" ], "architecture": "x86_64" }, "elastic": { "agent": { "id": "3337a3b0-a2a1-47dd-ad07-04821959cfcb" } }, "user": { "domain": "NT AUTHORITY", "name": "SYSTEM", "id": "S-1-5-18" }, "event.agent_id_status": "auth_metadata_missing", "event.sequence": 15881, "event.ingested": "2024-06-05T07:24:37Z", "event.created": "2024-06-05T07:22:33.8398949Z", "event.kind": "signal", "event.module": "endpoint", "event.action": "creation", "event.id": "Na+CdZakHxO6Dv20++++/WlH", "event.category": [ "file" ], "event.type": [ "creation" ], "event.dataset": "endpoint.events.file", "event.outcome": "unknown", "kibana.alert.original_time": "2024-06-05T07:22:33.839Z", "kibana.alert.ancestors": [ { "id": "fUVJ548BPUPbHtgmFFsp", "type": "event", "index": ".ds-logs-endpoint.events.file-redacted-2024.05.08-000004", "depth": 0 } ], "kibana.alert.status": "active", "kibana.alert.workflow_status": "open", "kibana.alert.depth": 1, "kibana.alert.reason": "file event with process WerFaultSecure.exe, file lsass.exe.1616.protected.dmp, by SYSTEM on redacted created high alert LSASS Memory Dump Creation.", "kibana.alert.severity": "high", "kibana.alert.risk_score": 73, "kibana.alert.rule.actions": [], "kibana.alert.rule.author": [ "Elastic" ], "kibana.alert.rule.created_at": "2022-02-16T10:24:49.148Z", "kibana.alert.rule.created_by": "elastic", "kibana.alert.rule.description": "Identifies the creation of a Local Security Authority Subsystem Service (lsass.exe) redacted memory dump. This may indicate a credential access attempt via trusted system utilities such as Task Manager (taskmgr.exe) and SQL Dumper (sqldumper.exe) or known pentesting tools such as Dumpert and AndrewSpecial.", "kibana.alert.rule.enabled": true, "kibana.alert.rule.exceptions_list": [], "kibana.alert.rule.false_positives": [], "kibana.alert.rule.from": "now-9m", "kibana.alert.rule.immutable": true, "kibana.alert.rule.interval": "5m", "kibana.alert.rule.indices": [ "winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*" ], "kibana.alert.rule.license": "Elastic License v2", "kibana.alert.rule.max_signals": 100, "kibana.alert.rule.note": "", "kibana.alert.rule.references": [ "https://github.com/outflanknl/Dumpert", "https://github.com/hoangprod/AndrewSpecial" ], "kibana.alert.rule.risk_score_mapping": [], "kibana.alert.rule.rule_id": "f2f46686-6f3c-4724-bd7d-24e31c70f98f", "kibana.alert.rule.severity_mapping": [], "kibana.alert.rule.threat": [], "kibana.alert.rule.timeline_id": "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c", "kibana.alert.rule.timeline_title": "Comprehensive File Timeline", "kibana.alert.rule.timestamp_override": "event.ingested", "kibana.alert.rule.to": "now", "kibana.alert.rule.type": "eql", "kibana.alert.rule.updated_at": "2024-04-25T08:51:48.532Z", "kibana.alert.rule.updated_by": "redacted", "kibana.alert.rule.version": 109, "kibana.alert.url": "redacted", "kibana.alert.uuid": "cb4d38065ee5a7ce276507367a914971e36754f3c2b361c7655b2511897182e5", "kibana.alert.workflow_tags": [], "kibana.alert.workflow_assignee_ids": [], "kibana.alert.rule.risk_score": 73, "kibana.alert.rule.severity": "high", "kibana.alert.original_event.agent_id_status": "auth_metadata_missing", "kibana.alert.original_event.sequence": 15881, "kibana.alert.original_event.ingested": "2024-06-05T07:24:37Z", "kibana.alert.original_event.created": "2024-06-05T07:22:33.8398949Z", "kibana.alert.original_event.kind": "event", "kibana.alert.original_event.module": "endpoint", "kibana.alert.original_event.action": "creation", "kibana.alert.original_event.id": "Na+CdZakHxO6Dv20++++/WlH", "kibana.alert.original_event.category": [ "file" ], "kibana.alert.original_event.type": [ "creation" ], "kibana.alert.original_event.dataset": "endpoint.events.file", "kibana.alert.original_event.outcome": "unknown" } }
w0rk3r commented 5 months ago

@ar3diu do you want to do a PR for this one too?

ar3diu commented 5 months ago

@w0rk3r https://github.com/elastic/detection-rules/pull/3810

botelastic[bot] commented 3 months ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

w0rk3r commented 3 months ago

Fixed in https://github.com/elastic/detection-rules/pull/3810