{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/lsass/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","Windows Error Reporting"],"_cs_severities":["medium"],"_cs_tags":["credential-access","windows","lsass","wepw"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic"],"content_html":"\u003cp\u003eThe LSASS Shtinkering attack involves abusing Windows Error Reporting (WER) to dump the memory of the LSASS process, which contains sensitive credentials. By enabling full user-mode dumps system-wide, attackers can fake a crash on LSASS, causing WER to generate a dump file. This setting is not enabled by default and requires modifying the registry. The DeepInstinct researchers publicized this attack at Defcon 30, demonstrating a method to access credentials without directly injecting malware into the LSASS process. This technique allows attackers to bypass traditional endpoint detection mechanisms that focus on malware signatures, making it a stealthy approach to credential theft. Defenders should monitor for registry modifications related to WER dump settings to detect and prevent this attack.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system, potentially through phishing or exploitation of a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the registry key \u003ccode\u003eHKLM\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps\\DumpType\u003c/code\u003e to the value \u003ccode\u003e2\u003c/code\u003e or \u003ccode\u003e0x00000002\u003c/code\u003e to enable full user-mode dumps system-wide.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers a crash or fakes a crash of the LSASS process.\u003c/li\u003e\n\u003cli\u003eWindows Error Reporting (WER) generates a full user-mode dump file of the LSASS process.\u003c/li\u003e\n\u003cli\u003eThe dump file is stored in the location specified in the registry, typically \u003ccode\u003eC:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the generated dump file.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts credentials from the LSASS dump file using tools like Mimikatz or custom scripts.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials to move laterally within the network or access sensitive resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the compromise of domain credentials and other sensitive information stored in LSASS memory, such as NTLM hashes and Kerberos tickets. This can enable attackers to move laterally within the network, escalate privileges, and access critical systems and data. A single compromised system can lead to a widespread breach affecting numerous users and systems. The sectors most vulnerable are those handling sensitive data or critical infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Full User-Mode Dumps Enabled System-Wide\u0026rdquo; to your SIEM to detect suspicious registry modifications related to Windows Error Reporting (WER).\u003c/li\u003e\n\u003cli\u003eExamine process execution logs to identify any suspicious processes that may have triggered the dump, especially those not matching the legitimate \u003ccode\u003esvchost.exe\u003c/code\u003e process with user IDs \u003ccode\u003eS-1-5-18\u003c/code\u003e, \u003ccode\u003eS-1-5-19\u003c/code\u003e, or \u003ccode\u003eS-1-5-20\u003c/code\u003e as described in the rule\u0026rsquo;s investigation guide.\u003c/li\u003e\n\u003cli\u003eMonitor for access to WER dump files located in \u003ccode\u003eC:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\u003c/code\u003e using file monitoring rules.\u003c/li\u003e\n\u003cli\u003eReview and update endpoint protection configurations to ensure they can detect and block credential dumping techniques as mentioned in the rule\u0026rsquo;s response and remediation steps.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-26T12:00:00Z","date_published":"2024-01-26T12:00:00Z","id":"/briefs/2024-01-26-lsass-shtinkering/","summary":"Attackers can enable full user-mode dumps system-wide via registry modification to facilitate LSASS credential dumping, allowing extraction of credentials from process memory without deploying malware.","title":"LSASS Credential Dumping via Windows Error Reporting (WER) Abuse","url":"https://feed.craftedsignal.io/briefs/2024-01-26-lsass-shtinkering/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["credential-access","lsass","seclogon","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis threat leverages the Windows Secondary Logon service (seclogon.dll) to gain unauthorized access to the Local Security Authority Subsystem Service (LSASS) process. The attack involves manipulating the seclogon service to leak an LSASS handle, which can then be used to extract credentials. This technique is often employed as a precursor to credential dumping and lateral movement within a compromised network. The detection focuses on identifying specific call traces to seclogon.dll coupled with suspicious access rights (0x14c0) when accessing LSASS, originating from svchost.exe. Defenders should monitor for this activity as it indicates a potential attempt to compromise sensitive credentials stored within LSASS memory.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system (e.g., via phishing or exploitation of a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker executes code within the context of a user account.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the Secondary Logon service (seclogon.dll) to request access to LSASS.\u003c/li\u003e\n\u003cli\u003eThe malicious code interacts with the seclogon service to obtain a handle to the LSASS process with specific access rights (0x14c0), typically from a svchost.exe process.\u003c/li\u003e\n\u003cli\u003eThe seclogon service, acting on behalf of the attacker, grants access to LSASS.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the leaked LSASS handle to read memory contents.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts sensitive information, such as user credentials (passwords, NTLM hashes, Kerberos tickets), from the LSASS memory.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials for lateral movement, privilege escalation, or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to steal user credentials, leading to unauthorized access to sensitive systems and data. This can result in data breaches, financial losses, and reputational damage. The compromise of domain administrator credentials can grant the attacker complete control over the entire Windows domain.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation logging (event ID 1) and process access logging (event ID 10) to detect suspicious LSASS handle access.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Suspicious Lsass Handle Access via MalSecLogon\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the call trace, access rights, and source process.\u003c/li\u003e\n\u003cli\u003eMonitor authentication events for signs of credential misuse following suspicious LSASS access.\u003c/li\u003e\n\u003cli\u003eReview local administrator and debug-privilege exposure, LSASS protection such as RunAsPPL or Credential Guard where supported, and Secondary Logon service necessity on critical servers\u003c/li\u003e\n\u003cli\u003eBlock the GrantedAccess value \u0026ldquo;0x14c0\u0026rdquo; in conjunction with CallTrace \u0026ldquo;\u003cem\u003eseclogon.dll\u003c/em\u003e\u0026rdquo; when the TargetImage is \u0026ldquo;lsass.exe\u0026rdquo; (Sysmon Event ID 10).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"/briefs/2024-01-mal-seclogon-lsass/","summary":"An attacker abuses the Secondary Logon service (seclogon.dll) to gain unauthorized access to the LSASS process, potentially leaking credentials.","title":"Suspicious LSASS Access via Malicious Secondary Logon Service","url":"https://feed.craftedsignal.io/briefs/2024-01-mal-seclogon-lsass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["credential-access","lsass","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic"],"content_html":"\u003cp\u003eThis rule identifies attempts to access the LSASS process via Windows API calls, specifically \u003ccode\u003eOpenProcess\u003c/code\u003e, \u003ccode\u003eOpenThread\u003c/code\u003e, and \u003ccode\u003eReadProcessMemory\u003c/code\u003e. The Local Security Authority Subsystem Service (LSASS) is a critical Windows component responsible for managing user authentication and security policies. Attackers often target LSASS to dump credentials from memory for lateral movement and privilege escalation. This detection focuses on identifying unusual processes attempting to access the LSASS process, excluding common legitimate applications and directories. The rule leverages data from Elastic Defend and Microsoft Defender XDR to identify suspicious activity and provide defenders with actionable alerts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the target system through various means.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to escalate privileges to gain administrative rights.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a custom tool or script to call the \u003ccode\u003eOpenProcess\u003c/code\u003e, \u003ccode\u003eOpenThread\u003c/code\u003e or \u003ccode\u003eReadProcessMemory\u003c/code\u003e Windows APIs.\u003c/li\u003e\n\u003cli\u003eThe tool targets the \u003ccode\u003elsass.exe\u003c/code\u003e process to obtain a handle for memory access.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the obtained handle to read LSASS memory, searching for credential data.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts usernames, passwords, and other sensitive information from the dumped memory.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials for lateral movement to other systems on the network.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, which may include data exfiltration or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the compromise of domain credentials, allowing attackers to move laterally within the network and gain access to sensitive resources. This can result in data breaches, system compromise, and significant financial or reputational damage. The rule aims to detect these attacks early, limiting the scope of the potential compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;LSASS API Access by Non-Standard Process\u0026rdquo; to your SIEM and tune for your environment to detect suspicious access to the LSASS process.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by this rule, focusing on the process execution chain and the access rights requested as documented in the provided Microsoft documentation.\u003c/li\u003e\n\u003cli\u003eEnable process creation and API call logging via Elastic Defend or Microsoft Defender XDR to provide the necessary data for this detection.\u003c/li\u003e\n\u003cli\u003eReview and harden LSASS protection mechanisms such as Credential Guard to minimize the risk of successful credential dumping.\u003c/li\u003e\n\u003cli\u003eImplement the Osquery queries to gather system information like DNS cache, services, and unsigned executables, to aid in investigation and threat hunting.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"/briefs/2024-01-lsass-process-access/","summary":"Detection of access attempts to the LSASS handle, indicating potential credential dumping by monitoring API calls (OpenProcess, OpenThread, ReadProcessMemory) targeting lsass.exe.","title":"LSASS Process Access via Windows API","url":"https://feed.craftedsignal.io/briefs/2024-01-lsass-process-access/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["credential-access","lsass","process-injection"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection identifies the creation of an LSASS process clone via \u003ccode\u003ePssCaptureSnapShot\u003c/code\u003e on Windows systems. The rule focuses on scenarios where the parent process of the new LSASS instance is also \u003ccode\u003elsass.exe\u003c/code\u003e. This behavior is often associated with attackers attempting to bypass security controls and dump LSASS memory to extract credentials. The technique is used to evade detection mechanisms that monitor the primary LSASS process. Successful exploitation can lead to the compromise of domain or local credentials stored in memory, allowing for lateral movement and privilege escalation within the network. The detection is based on Windows Security Event Logs, specifically event code 4688, and is designed to identify this specific cloning behavior.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker executes code on the target system, potentially using tools like PowerShell or command-line utilities.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a process to clone the LSASS process using \u003ccode\u003ePssCaptureSnapShot\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe newly created process, a clone of LSASS, runs alongside the original.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the cloned LSASS process to dump its memory. This may involve tools like \u003ccode\u003ecomsvcs.dll\u003c/code\u003e, \u003ccode\u003erundll32.exe\u003c/code\u003e or custom scripts leveraging the MiniDumpWriteDump function.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts sensitive information from the dumped memory, including usernames, passwords, and Kerberos tickets.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the extracted credentials to move laterally within the network, accessing additional systems and resources.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration or deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can result in the compromise of sensitive credentials stored in LSASS memory, including domain and local account credentials. This can lead to unauthorized access to critical systems and data, potentially resulting in data breaches, financial loss, and reputational damage. Domain controllers, jump hosts, and systems with privileged accounts are at especially high risk. The number of affected systems can range from a single machine to a large portion of the network, depending on the attacker\u0026rsquo;s objectives and the scope of the compromised credentials.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable and monitor Windows Security Event Logs with event code 4688 for process creation events, specifically focusing on the process and parent process names to identify LSASS cloning attempts (see rule below).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect potential LSASS clone creation via \u003ccode\u003ePssCaptureSnapShot\u003c/code\u003e. Tune the rule for your environment to reduce false positives.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on identifying the processes involved in cloning and dumping LSASS memory.\u003c/li\u003e\n\u003cli\u003eEnable Audit Process Creation and Command Line logging as per the Elastic documentation to ensure the events used by the provided Sigma rules are captured.\u003c/li\u003e\n\u003cli\u003eIf a LSASS clone is detected, review authentication events (4624, 4648, 4625) on the affected host to identify any suspicious logons or credential usage.\u003c/li\u003e\n\u003cli\u003eMonitor for file activity related to memory dumps (e.g., .dmp files) using the process clone to identify potential credential theft attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T10:00:00Z","date_published":"2024-01-09T10:00:00Z","id":"/briefs/2024-01-lsass-clone-creation/","summary":"Detection of LSASS process cloning using PssCaptureSnapShot, where the parent process is also LSASS, indicating a potential attempt to dump LSASS memory for credential access.","title":"Potential LSASS Clone Creation via PssCaptureSnapShot","url":"https://feed.craftedsignal.io/briefs/2024-01-lsass-clone-creation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["credential-access","lsass","duplicatehandle","mirrordump","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies suspicious attempts to access the Local Security Authority Subsystem Service (LSASS) memory via the DuplicateHandle function on Windows systems. LSASS is a critical process that manages user credentials, making it a prime target for credential dumping attacks. Attackers may use DuplicateHandle to bypass the NtOpenProcess API, which is commonly monitored, to evade detection. The rule focuses on EventCode 10, looking for lsass.exe requesting DuplicateHandle access rights (0x40) where the call trace originates from an unknown executable region (\u003cem\u003eUNKNOWN\u003c/em\u003e). This technique is often associated with tools like MirrorDump.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the target system (e.g., via phishing or exploitation of a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker executes a malicious program or script on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe malicious code attempts to open a handle to the LSASS process.\u003c/li\u003e\n\u003cli\u003eInstead of using NtOpenProcess, the attacker leverages the DuplicateHandle function to obtain a handle to LSASS.\u003c/li\u003e\n\u003cli\u003eThe DuplicateHandle call originates from an unknown or suspicious module, as indicated by \u0026ldquo;\u003cem\u003eUNKNOWN\u003c/em\u003e\u0026rdquo; in the call trace.\u003c/li\u003e\n\u003cli\u003eWith a valid handle to LSASS, the attacker dumps the LSASS memory to a file or other location.\u003c/li\u003e\n\u003cli\u003eThe attacker parses the dumped memory to extract sensitive credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials for lateral movement, privilege escalation, or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation could lead to the compromise of user credentials, including domain administrator accounts. This can give attackers unrestricted access to the entire domain, allowing them to steal sensitive data, install malware, or disrupt critical services. The impact can range from data breaches and financial loss to complete infrastructure compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation and event 10 logging to capture the necessary telemetry for this detection. (Setup instructions: \u003ca href=\"https://ela.st/sysmon-event-10-setup\"\u003ehttps://ela.st/sysmon-event-10-setup\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Potential Credential Access via DuplicateHandle in LSASS\u0026rdquo; to your SIEM and tune for your environment to reduce false positives.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by this rule by reviewing the event logs and call trace details to identify suspicious modules or processes.\u003c/li\u003e\n\u003cli\u003eImplement enhanced monitoring and logging for LSASS and related processes to detect any future attempts to exploit the DuplicateHandle function.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T17:30:00Z","date_published":"2024-01-03T17:30:00Z","id":"/briefs/2024-01-lsass-dupehandle/","summary":"Detection of suspicious LSASS handle access via DuplicateHandle from an unknown call trace module, indicating a potential attempt to bypass the NtOpenProcess API to evade detection and dump LSASS memory for credential access.","title":"Potential Credential Access via LSASS Handle Duplication","url":"https://feed.craftedsignal.io/briefs/2024-01-lsass-dupehandle/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows Defender","Cisco AnyConnect Secure Mobility Client","Cisco Secure Client","Oracle Database"],"_cs_severities":["medium"],"_cs_tags":["credential-access","lsass","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Cisco","Oracle"],"content_html":"\u003cp\u003eThe Local Security Authority Subsystem Service (LSASS) is a critical Windows component responsible for enforcing security policies and handling user authentication. Attackers often target LSASS to extract credentials, enabling unauthorized access and privilege escalation. This detection rule identifies suspicious access attempts to LSASS memory, which may indicate credential dumping activities. It filters out common legitimate processes and access patterns to highlight anomalous behaviors associated with credential theft. The rule is designed to detect unauthorized access attempts by monitoring process access events and filtering out known benign processes that interact with LSASS. It helps defenders identify potential credential access attempts before they lead to significant compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system, possibly through phishing or exploitation of a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a malicious process or script on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe malicious process attempts to gain a handle to the LSASS process.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s tool requests specific access rights to LSASS, such as \u003ccode\u003eReadProcessMemory\u003c/code\u003e (0x0010) or \u003ccode\u003ePROCESS_QUERY_INFORMATION\u003c/code\u003e (0x0400), which are necessary for memory dumping.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s process bypasses or disables endpoint detection and response (EDR) solutions to avoid detection.\u003c/li\u003e\n\u003cli\u003eThe tool dumps the LSASS memory, extracting sensitive information like usernames, passwords, and Kerberos tickets.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the extracted credentials to move laterally within the network, accessing other systems and resources.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration or deployment of ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful LSASS memory dump can lead to the compromise of domain credentials, allowing attackers to move laterally within the network and gain access to sensitive data and systems. This can result in data breaches, financial loss, and reputational damage. Organizations across all sectors are vulnerable, particularly those with weak credential management practices. A single compromised account can lead to widespread damage, potentially affecting thousands of systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process access event logging (Event ID 10) as described in the setup instructions linked in the rule to collect the necessary data.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Suspicious Lsass Process Access\u0026rdquo; to your SIEM and tune the exclusions based on your environment to reduce false positives.\u003c/li\u003e\n\u003cli\u003eReview and harden privileged account management practices to limit the impact of credential compromise.\u003c/li\u003e\n\u003cli\u003eMonitor systems for unusual process creation events, especially those spawning from unexpected locations, to identify potential initial access points.\u003c/li\u003e\n\u003cli\u003eRegularly scan systems for vulnerabilities and apply patches to prevent exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-suspicious-lsass-access/","summary":"This rule identifies suspicious access attempts to the LSASS process, potentially indicating credential dumping attempts by filtering out legitimate processes and access patterns to focus on anomalies.","title":"Suspicious LSASS Process Access","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-lsass-access/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["credential-access","lsass","dll-injection","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","McAfee","SecMaker AB","HID Global","Apple","Citrix Systems","Dell","Hewlett-Packard Company","Symantec Corporation","National Instruments Corporation","DigitalPersona","Novell","Gemalto","EasyAntiCheat Oy","Entrust Datacard Corporation","AuriStor","LogMeIn","VMware","Nubeva Technologies Ltd","Micro Focus","Yubico AB","Secure Endpoints","Sophos","Morphisec Information Security","Entrust","F5 Networks","Bit4id","Thales DIS CPL USA","Micro Focus International plc","HYPR Corp","Intel","PGP Corporation","Parallels International GmbH","FrontRange Solutions Deutschland GmbH","SecureLink","Tidexa OU","Amazon Web Services","SentryBay Limited","Audinate Pty Ltd","CyberArk Software","NVIDIA","Trend Micro","Fortinet","Carbon Black"],"content_html":"\u003cp\u003eThe Local Security Authority Subsystem Service (LSASS) is a critical Windows component that manages security policies and user authentication. Attackers often target LSASS to dump credentials, using techniques like injecting malicious DLLs. This detection focuses on identifying instances where LSASS loads a DLL that is either unsigned or not signed by a trusted vendor. The rule excludes known legitimate signatures and file hashes to reduce false positives. This activity is a strong indicator of credential access attempts, potentially leading to further compromise of the system and network. The signatures identified in the rule contain well-known software vendors like Microsoft, McAfee and Citrix.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system through various means (e.g., phishing, exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker elevates privileges to gain sufficient access to interact with the LSASS process.\u003c/li\u003e\n\u003cli\u003eThe attacker drops a malicious DLL onto the system, often disguised as a legitimate file.\u003c/li\u003e\n\u003cli\u003eThe attacker injects the malicious DLL into the LSASS process using techniques like Reflective DLL Injection.\u003c/li\u003e\n\u003cli\u003eLSASS loads the injected DLL, granting the attacker access to sensitive credentials stored in memory.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL dumps credentials, such as plaintext passwords or NTLM hashes.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials for lateral movement to other systems on the network.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration or deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation leads to credential compromise, allowing attackers to move laterally within the network, access sensitive data, and potentially achieve complete domain dominance. This can result in data breaches, financial losses, and reputational damage. The impact depends on the level of access associated with the compromised credentials.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u003ccode\u003eLSASS Loading Untrusted DLL\u003c/code\u003e Sigma rule to your SIEM to detect suspicious DLLs loaded by LSASS.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule and review the loaded DLL\u0026rsquo;s code signature and hash.\u003c/li\u003e\n\u003cli\u003eBlock the identified SHA256 hashes listed in the IOC table to prevent the execution of known malicious DLLs.\u003c/li\u003e\n\u003cli\u003eImplement application whitelisting to restrict which DLLs can be loaded into LSASS.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation and image load logging to provide the necessary data for detection.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-lsass-suspicious-dll/","summary":"Detection of LSASS loading an unsigned or untrusted DLL, which can indicate credential access attempts by malicious actors targeting sensitive information stored in the LSASS process.","title":"LSASS Loading Suspicious DLL","url":"https://feed.craftedsignal.io/briefs/2024-01-lsass-suspicious-dll/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["credential-access","lsass","memory-dump","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe Local Security Authority Subsystem Service (LSASS) is a critical Windows process responsible for enforcing security policy and handling user authentication. Attackers often target LSASS to steal credentials for lateral movement and privilege escalation. This detection identifies attempts to access LSASS memory using specific access masks (0x1fffff, 0x1010, 0x120089, 0x1F3FFF) that are commonly used by tools designed to dump LSASS memory. The rule is designed to be tool-agnostic, detecting the underlying behavior rather than specific tool signatures. It has been validated against various LSASS dumping tools, including SharpDump, Procdump, Mimikatz, and Comsvcs. The rule triggers on Windows systems where handle manipulation is enabled and generates security event logs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system, potentially through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker elevates privileges to an administrative account or SYSTEM, necessary for accessing LSASS memory.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a credential dumping tool, such as Mimikatz, SharpDump, or Procdump.\u003c/li\u003e\n\u003cli\u003eThe tool attempts to open a handle to the LSASS process (lsass.exe) with a specific access mask (0x1fffff, 0x1010, 0x120089, 0x1F3FFF) required for memory dumping.\u003c/li\u003e\n\u003cli\u003eWindows Security Event ID 4656 is generated, logging the handle request to the LSASS object.\u003c/li\u003e\n\u003cli\u003eThe tool reads the memory contents of the LSASS process.\u003c/li\u003e\n\u003cli\u003eThe dumped memory is parsed to extract sensitive information, such as passwords, NTLM hashes, and Kerberos tickets.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials to move laterally to other systems or access sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful LSASS memory dumping allows attackers to steal user credentials, enabling lateral movement and privilege escalation within the network. This can lead to widespread compromise, data breaches, and significant disruption of services. Stolen credentials can be used to access sensitive data, control critical systems, and maintain a persistent presence within the environment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Audit Handle Manipulation to generate the necessary events for this rule to function, as described in the \u003ca href=\"https://ela.st/audit-handle-manipulation\"\u003esetup instructions\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eLSASS Memory Dump Handle Access\u003c/code\u003e to your SIEM and tune the exceptions based on your environment to minimize false positives.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by this rule, focusing on the process execution chain (parent process tree) to identify the source of the LSASS handle request.\u003c/li\u003e\n\u003cli\u003eReview the processes excluded in the rule (WmiPrvSE.exe, dllhost.exe, svchost.exe, msiexec.exe, explorer.exe) and ensure these exclusions are valid for your environment.\u003c/li\u003e\n\u003cli\u003eImplement strong password policies and multi-factor authentication to mitigate the impact of credential theft.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-lsass-memory-dump/","summary":"This rule detects handle requests for LSASS object access with specific access masks (0x1fffff, 0x1010, 0x120089, 0x1F3FFF) indicative of memory dumping, commonly employed by tools like SharpDump, Procdump, Mimikatz, and Comsvcs to extract credentials from the LSASS process on Windows systems.","title":"LSASS Memory Dump Handle Access Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-lsass-memory-dump/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","SQL Server","SQL Server Reporting Services"],"_cs_severities":["medium"],"_cs_tags":["credential_access","lsass","memory_dump","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne"],"content_html":"\u003cp\u003eThis detection rule identifies the creation of LSASS memory dump files on Windows systems, which is a common technique used by attackers to extract credentials. The rule focuses on specific filenames associated with LSASS dumps and tools used for creating these dumps, such as \u003ccode\u003elsass*.dmp\u003c/code\u003e, \u003ccode\u003edumpert.dmp\u003c/code\u003e, \u003ccode\u003eAndrew.dmp\u003c/code\u003e, \u003ccode\u003eSQLDmpr*.mdmp\u003c/code\u003e, and \u003ccode\u003eCoredump.dmp\u003c/code\u003e. The rule excludes known legitimate crash analysis paths and SQLDumper dump locations to reduce false positives. The rule aims to detect credential access attempts through trusted utilities such as Task Manager or SQLDumper, or known tooling such as Dumpert and AndrewSpecial. It is designed to work with data from Elastic Defend, Microsoft Defender XDR, SentinelOne Cloud Funnel, and Sysmon.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker executes a tool or utility to create a memory dump of the LSASS process. This can be done using built-in tools like Task Manager or SQLDumper, or third-party tools like Dumpert or AndrewSpecial.\u003c/li\u003e\n\u003cli\u003eThe tool writes the LSASS memory dump to a file with a name matching a known pattern, such as \u003ccode\u003elsass.dmp\u003c/code\u003e, \u003ccode\u003edumpert.dmp\u003c/code\u003e, or \u003ccode\u003eSQLDmpr0001.mdmp\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe file is created in a location that is not a known legitimate crash dump location (e.g., not in \u003ccode\u003e\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\CrashDumps\\\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker may move, copy, or archive the dump file to avoid detection or to prepare it for exfiltration.\u003c/li\u003e\n\u003cli\u003eThe attacker uses another tool, such as Mimikatz, to parse the LSASS memory dump and extract credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the extracted credentials to move laterally to other systems or to access sensitive data.\u003c/li\u003e\n\u003cli\u003eThe final objective is often to gain domain administrator privileges or to exfiltrate sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation and credential extraction can lead to complete domain compromise, unauthorized access to sensitive data, and significant financial or reputational damage. The impact is amplified if the compromised system is a domain controller, jump host, or privileged admin workstation. The rule is designed to detect the initial stage of credential access and prevent further damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon FileCreate events (Event ID 11) to capture the creation of LSASS memory dump files.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eLSASS Memory Dump Creation\u003c/code\u003e to your SIEM to detect suspicious LSASS memory dump creation events and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the process executable, parent process, file path, and user context.\u003c/li\u003e\n\u003cli\u003eIf a suspicious LSASS memory dump is found, isolate the affected host and begin credential hygiene for implicated accounts and systems.\u003c/li\u003e\n\u003cli\u003eBlock known malicious tools like Dumpert and AndrewSpecial from running on your network.\u003c/li\u003e\n\u003cli\u003eMonitor for related credential-access, staging, privilege, or lateral-movement alerts for the same user or host.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-lsass-dump-creation/","summary":"This rule identifies the creation of LSASS memory dump files, often indicative of credential access attempts using tools like Task Manager, SQLDumper, Dumpert, or AndrewSpecial, by monitoring for specific filenames and excluding legitimate dump locations.","title":"LSASS Memory Dump Creation Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-lsass-dump-creation/"}],"language":"en","title":"CraftedSignal Threat Feed — Lsass","version":"https://jsonfeed.org/version/1.1"}