Credential dumpers like Mimikatz can be loaded into memory and from there read data from another processes. This analytic looks for instances where processes are requesting specific permissions to read parts of the LSASS process in order to detect when credential dumping is occurring. One weakness is that all current implementations are "overtuned" to look for common access patterns used by Mimikatz.
This is specific to the way Mimikatz works currently, and thus is fragile to both future updates and non-default configurations of Mimikatz.
Language: Splunk .
Data Model: Sysmon Native
index=__your_sysmon_data__ EventCode=10
TargetImage="C:\\WINDOWS\\system32\\lsass.exe"
(GrantedAccess=0x1410 OR GrantedAccess=0x1010 OR GrantedAccess=0x1438 OR GrantedAccess=0x143a OR GrantedAccess=0x1418)
CallTrace="C:\\windows\\SYSTEM32\\ntdll.dll+*|C:\\windows\\System32\\KERNELBASE.dll+20edd|UNKNOWN(*)"
| table _time hostname user SourceImage GrantedAccess
Outliers
This is an outlier version of the above without including the specific call trace. This should work in more (but not all) situations however runs more slowly and will have more false positives - typically installers.
Language: Splunk .
Data Model: Sysmon Native
earliest=-d@d latest=now() index=__your_sysmon_data__
EventCode=10
TargetImage="C:\\WINDOWS\\system32\\lsass.exe"
(GrantedAccess=0x1410 OR GrantedAccess=0x1010 OR GrantedAccess=0x1438 OR GrantedAccess=0x143a OR GrantedAccess=0x1418)
| search NOT [ search earliest=-7d@d latest=-2d@d index=__your_sysmon_data__ EventCode=10 TargetImage="C:\\WINDOWS\\system32\\lsass.exe" (GrantedAccess=0x1410 OR GrantedAccess=0x1010 OR GrantedAccess=0x1438 OR GrantedAccess=0x143a OR GrantedAccess=0x1418)
| dedup SourceImage
| fields SourceImage ]
| table _time hostname user SourceImage GrantedAccess
Data Model Mappings
This requires information about process access, e.g. Sysmon Event ID 10. That currently doesn't have a CAR data model mapping.
References
Analytic developed by Sean Whitley @ MITRE, received his permission to post these two implementations.
Credential Dumping via Mimikatz
Credential dumpers like Mimikatz can be loaded into memory and from there read data from another processes. This analytic looks for instances where processes are requesting specific permissions to read parts of the LSASS process in order to detect when credential dumping is occurring. One weakness is that all current implementations are "overtuned" to look for common access patterns used by Mimikatz.
ATT&CK Coverage
Implementations
Common Mimikatz GrantedAccess Patterns
This is specific to the way Mimikatz works currently, and thus is fragile to both future updates and non-default configurations of Mimikatz.
Language: Splunk . Data Model: Sysmon Native
Outliers
This is an outlier version of the above without including the specific call trace. This should work in more (but not all) situations however runs more slowly and will have more false positives - typically installers.
Language: Splunk . Data Model: Sysmon Native
Data Model Mappings
This requires information about process access, e.g. Sysmon Event ID 10. That currently doesn't have a CAR data model mapping.
References
Analytic developed by Sean Whitley @ MITRE, received his permission to post these two implementations.
Credit to Cyb3rWard0g, dim0x69 (blog.3or.de), and Mark Russinovich for providing much of the information used to construct these analytics. https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/blob/master/attack_matrix/windows/credential_access/credential_dumping/mimikatz_inmem.md
Developer Certificate of Origin
DCO signed-off-by: John Wunder jwunder@mitre.org