Duplicatehandle — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/duplicatehandle/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 03 Jan 2024 17:30:00 +0000Potential Credential Access via LSASS Handle Duplicationhttps://feed.craftedsignal.io/briefs/2024-01-lsass-dupehandle/Wed, 03 Jan 2024 17:30:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-lsass-dupehandle/Detection of suspicious LSASS handle access via DuplicateHandle from an unknown call trace module, indicating a potential attempt to bypass the NtOpenProcess API to evade detection and dump LSASS memory for credential access.This detection identifies suspicious attempts to access the Local Security Authority Subsystem Service (LSASS) memory via the DuplicateHandle function on Windows systems. LSASS is a critical process that manages user credentials, making it a prime target for credential dumping attacks. Attackers may use DuplicateHandle to bypass the NtOpenProcess API, which is commonly monitored, to evade detection. The rule focuses on EventCode 10, looking for lsass.exe requesting DuplicateHandle access rights (0x40) where the call trace originates from an unknown executable region (UNKNOWN). This technique is often associated with tools like MirrorDump.

Attack Chain

  1. An attacker gains initial access to the target system (e.g., via phishing or exploitation of a vulnerability).
  2. The attacker executes a malicious program or script on the compromised system.
  3. The malicious code attempts to open a handle to the LSASS process.
  4. Instead of using NtOpenProcess, the attacker leverages the DuplicateHandle function to obtain a handle to LSASS.
  5. The DuplicateHandle call originates from an unknown or suspicious module, as indicated by “UNKNOWN” in the call trace.
  6. With a valid handle to LSASS, the attacker dumps the LSASS memory to a file or other location.
  7. The attacker parses the dumped memory to extract sensitive credentials.
  8. The attacker uses the stolen credentials for lateral movement, privilege escalation, or data exfiltration.

Impact

Successful exploitation could lead to the compromise of user credentials, including domain administrator accounts. This can give attackers unrestricted access to the entire domain, allowing them to steal sensitive data, install malware, or disrupt critical services. The impact can range from data breaches and financial loss to complete infrastructure compromise.

Recommendation

  • Enable Sysmon process creation and event 10 logging to capture the necessary telemetry for this detection. (Setup instructions: https://ela.st/sysmon-event-10-setup)
  • Deploy the Sigma rule “Potential Credential Access via DuplicateHandle in LSASS” to your SIEM and tune for your environment to reduce false positives.
  • Investigate any alerts generated by this rule by reviewing the event logs and call trace details to identify suspicious modules or processes.
  • Implement enhanced monitoring and logging for LSASS and related processes to detect any future attempts to exploit the DuplicateHandle function.
]]>mediumadvisorycredential-accesslsassduplicatehandlemirrordumpwindows