|
2 | 2 | creation_date = "2023/03/02" |
3 | 3 | integration = ["endpoint", "m365_defender"] |
4 | 4 | maturity = "production" |
5 | | -updated_date = "2025/02/03" |
| 5 | +updated_date = "2025/12/11" |
6 | 6 |
|
7 | 7 | [transform] |
8 | 8 | [[transform.osquery]] |
@@ -33,9 +33,9 @@ authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.resu |
33 | 33 | [rule] |
34 | 34 | author = ["Elastic"] |
35 | 35 | description = "Identifies access attempts to the LSASS handle, which may indicate an attempt to dump credentials from LSASS memory.\n" |
36 | | -from = "now-9m" |
37 | | -index = ["logs-endpoint.events.api-*", "logs-m365_defender.event-*"] |
38 | | -language = "eql" |
| 36 | +from = "now-30m" |
| 37 | +interval = "15m" |
| 38 | +language = "esql" |
39 | 39 | license = "Elastic License v2" |
40 | 40 | name = "LSASS Process Access via Windows API" |
41 | 41 | note = """## Triage and analysis |
@@ -116,71 +116,35 @@ tags = [ |
116 | 116 | "Resources: Investigation Guide" |
117 | 117 | ] |
118 | 118 | timestamp_override = "event.ingested" |
119 | | -type = "eql" |
| 119 | +type = "esql" |
120 | 120 |
|
121 | 121 | query = ''' |
122 | | -api where host.os.type == "windows" and |
123 | | - process.Ext.api.name in ("OpenProcess", "OpenThread") and Target.process.name : "lsass.exe" and |
124 | | - not |
125 | | - ( |
126 | | - process.executable : ( |
127 | | - "?:\\ProgramData\\GetSupportService*\\Updates\\Update_*.exe", |
128 | | - "?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe", |
129 | | - "?:\\Program Files (x86)\\Asiainfo Security\\OfficeScan Client\\NTRTScan.exe", |
130 | | - "?:\\Program Files (x86)\\Blackpoint\\SnapAgent\\SnapAgent.exe", |
131 | | - "?:\\Program Files (x86)\\CheckPoint\\Endpoint Security\\EFR\\EFRService.exe", |
132 | | - "?:\\Program Files (x86)\\CyberCNSAgent\\osqueryi.exe", |
133 | | - "?:\\Program Files (x86)\\cisco\\cisco anyconnect secure mobility client\\vpnagent.exe", |
134 | | - "?:\\Program Files (x86)\\cisco\\cisco anyconnect secure mobility client\\aciseagent.exe", |
135 | | - "?:\\Program Files (x86)\\cisco\\cisco anyconnect secure mobility client\\vpndownloader.exe", |
136 | | - "?:\\Program Files (x86)\\eScan\\reload.exe", |
137 | | - "?:\\Program Files (x86)\\Google\\Update\\GoogleUpdate.exe", |
138 | | - "?:\\Program Files (x86)\\Kaspersky Lab\\*\\avp.exe", |
139 | | - "?:\\Program Files (x86)\\microsoft intune management extension\\microsoft.management.services.intunewindowsagent.exe", |
140 | | - "?:\\Program Files (x86)\\N-able Technologies\\Reactive\\bin\\NableReactiveManagement.exe", |
141 | | - "?:\\Program Files (x86)\\N-able Technologies\\Windows Agent\\bin\\agent.exe", |
142 | | - "?:\\Program Files (x86)\\Tanium\\Tanium Client\\TaniumClient.exe", |
143 | | - "?:\\Program Files (x86)\\Trend Micro\\*\\CCSF\\TmCCSF.exe", |
144 | | - "?:\\Program Files (x86)\\Trend Micro\\Security Agent\\TMASutility.exe", |
145 | | - "?:\\Program Files*\\Windows Defender\\MsMpEng.exe", |
146 | | - "?:\\Program Files\\Bitdefender\\Endpoint Security\\EPSecurityService.exe", |
147 | | - "?:\\Program Files\\Cisco\\AMP\\*\\sfc.exe", |
148 | | - "?:\\Program Files\\Common Files\\McAfee\\AVSolution\\mcshield.exe", |
149 | | - "?:\\Program Files\\EA\\AC\\EAAntiCheat.GameService.exe", |
150 | | - "?:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-*\\components\\agentbeat.exe", |
151 | | - "?:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-*\\components\\metricbeat.exe", |
152 | | - "?:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-*\\components\\osqueryd.exe", |
153 | | - "?:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-*\\components\\packetbeat.exe", |
154 | | - "?:\\Program Files\\ESET\\ESET Security\\ekrn.exe", |
155 | | - "?:\\Program Files\\Fortinet\\FortiClient\\FortiProxy.exe", |
156 | | - "?:\\Program Files\\Fortinet\\FortiClient\\FortiSSLVPNdaemon.exe", |
157 | | - "?:\\Program Files\\Goverlan Inc\\GoverlanAgent\\GovAgentx64.exe", |
158 | | - "?:\\Program Files\\Huntress\\HuntressAgent.exe", |
159 | | - "?:\\Program Files\\LogicMonitor\\Agent\\bin\\sbshutdown.exe", |
160 | | - "?:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe", |
161 | | - "?:\\Program Files\\Microsoft Monitoring Agent\\Agent\\Health Service State\\*\\pmfexe.exe", |
162 | | - "?:\\Program Files\\Microsoft Security Client\\MsMpEng.exe", |
163 | | - "?:\\Program Files\\Qualys\\QualysAgent\\QualysAgent.exe", |
164 | | - "?:\\Program Files\\smart-x\\controlupagent\\version*\\cuagent.exe", |
165 | | - "?:\\Program Files\\TDAgent\\ossec-agent\\ossec-agent.exe", |
166 | | - "?:\\Program Files\\Topaz OFD\\Warsaw\\core.exe", |
167 | | - "?:\\Program Files\\Trend Micro\\Deep Security Agent\\netagent\\tm_netagent.exe", |
168 | | - "?:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", |
169 | | - "?:\\Program Files\\Windows Defender Advanced Threat Protection\\MsSense.exe", |
170 | | - "?:\\Program Files\\Wise\\Wise Memory Optimizer\\WiseMemoryOptimzer.exe", |
171 | | - "?:\\Windows\\AdminArsenal\\PDQDeployRunner\\*\\exec\\Sysmon64.exe", |
172 | | - "?:\\Windows\\Sysmon.exe", |
173 | | - "?:\\Windows\\Sysmon64.exe", |
174 | | - "?:\\Windows\\System32\\csrss.exe", |
175 | | - "?:\\Windows\\System32\\MRT.exe", |
176 | | - "?:\\Windows\\System32\\msiexec.exe", |
177 | | - "?:\\Windows\\System32\\taskhostw.exe", |
178 | | - "?:\\Windows\\System32\\RtkAudUService64.exe", |
179 | | - "?:\\Windows\\System32\\wbem\\WmiPrvSE.exe", |
180 | | - "?:\\Windows\\SysWOW64\\wbem\\WmiPrvSE.exe", |
181 | | - "?:\\Windows\\tenable_mw_scan_142a90001fb65e0beb1751cc8c63edd0.exe" |
182 | | - ) and not ?process.code_signature.trusted == false |
183 | | - ) |
| 122 | +from logs-endpoint.events.api-*, logs-m365_defender.event-* metadata _id, _version, _index |
| 123 | +
|
| 124 | +| where event.category == "api" and host.os.family == "windows" and |
| 125 | + process.Ext.api.name in ("OpenProcess", "OpenThread", "ReadProcessMemory") and |
| 126 | + Target.process.name == "lsass.exe" and process.executable is not null and |
| 127 | +
|
| 128 | + // Noisy patterns |
| 129 | + not to_lower(process.executable) like """c:\\program files\\*.exe""" and |
| 130 | + not to_lower(process.executable) like """c:\\program files (x86)\\*.exe""" and |
| 131 | + not process.executable like """C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\MsMpEng.exe""" and |
| 132 | + not process.executable like """C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe""" and |
| 133 | + not process.executable like """C:\\Program Files\\*.exe""" and not process.executable like """C:\\Program Files (x86)\\*.exe""" |
| 134 | +
|
| 135 | + /* normalize process paths to reduce known random patterns in process.executable */ |
| 136 | +| eval Esql.process_path = replace(process.executable, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") |
| 137 | +
|
| 138 | +// Group by process path |
| 139 | +| stats Esql.access_count = count(*), |
| 140 | + Esql.count_distinct_hosts = count_distinct(host.id), |
| 141 | + Esql.host_id_values = VALUES(host.id), |
| 142 | + Esql.process_pid_values = VALUES(process.entity_id), |
| 143 | + Esql.user_name_values = VALUES(user.name) by Esql.process_path |
| 144 | +
|
| 145 | +// Limit to rare instances |
| 146 | +| where Esql.count_distinct_hosts == 1 and Esql.access_count <= 3 |
| 147 | +| keep Esql.* |
184 | 148 | ''' |
185 | 149 |
|
186 | 150 |
|
|
0 commit comments