Potential LSASS Clone Creation via PssCaptureSnapShot

This detection identifies the creation of an LSASS process clone via PssCaptureSnapShot on Windows systems. The rule focuses on scenarios where the parent process of the new LSASS instance is also lsass.exe. This behavior is often associated with attackers attempting to bypass security controls and dump LSASS memory to extract credentials. The technique is used to evade detection mechanisms that monitor the primary LSASS process. Successful exploitation can lead to the compromise of domain or local credentials stored in memory, allowing for lateral movement and privilege escalation within the network. The detection is based on Windows Security Event Logs, specifically event code 4688, and is designed to identify this specific cloning behavior.

Attack Chain

1. The attacker gains initial access to the system (e.g., through phishing or exploiting a vulnerability).
2. The attacker executes code on the target system, potentially using tools like PowerShell or command-line utilities.
3. The attacker initiates a process to clone the LSASS process using PssCaptureSnapShot.
4. The newly created process, a clone of LSASS, runs alongside the original.
5. The attacker leverages the cloned LSASS process to dump its memory. This may involve tools like comsvcs.dll, rundll32.exe or custom scripts leveraging the MiniDumpWriteDump function.
6. The attacker extracts sensitive information from the dumped memory, including usernames, passwords, and Kerberos tickets.
7. The attacker uses the extracted credentials to move laterally within the network, accessing additional systems and resources.
8. The attacker achieves their final objective, such as data exfiltration or deploying ransomware.

Impact

Successful exploitation can result in the compromise of sensitive credentials stored in LSASS memory, including domain and local account credentials. This can lead to unauthorized access to critical systems and data, potentially resulting in data breaches, financial loss, and reputational damage. Domain controllers, jump hosts, and systems with privileged accounts are at especially high risk. The number of affected systems can range from a single machine to a large portion of the network, depending on the attacker’s objectives and the scope of the compromised credentials.

Recommendation

• Enable and monitor Windows Security Event Logs with event code 4688 for process creation events, specifically focusing on the process and parent process names to identify LSASS cloning attempts (see rule below).
• Deploy the provided Sigma rule to your SIEM to detect potential LSASS clone creation via PssCaptureSnapShot. Tune the rule for your environment to reduce false positives.
• Investigate any alerts generated by the Sigma rule, focusing on identifying the processes involved in cloning and dumping LSASS memory.
• Enable Audit Process Creation and Command Line logging as per the Elastic documentation to ensure the events used by the provided Sigma rules are captured.
• If a LSASS clone is detected, review authentication events (4624, 4648, 4625) on the affected host to identify any suspicious logons or credential usage.
• Monitor for file activity related to memory dumps (e.g., .dmp files) using the process clone to identify potential credential theft attempts.