feat(rules): LSASS process clone creation via reflection

Identifies the creation of an LSASS clone process via RtlCreateProcessReflection API function. Adversaries can use this technique to dump credentials material from the LSASS fork and evade defenses.

Author: rabbitstack

rules/credential_access_lsass_process_clone_creation_via_reflection.yml

@@ -0,0 +1,31 @@
+name: LSASS process clone creation via reflection
+id: cdf3810a-4832-446a-ac9d-d108cf2e313c
+version: 1.0.0
+description: |
+  Identifies the creation of an LSASS clone process via RtlCreateProcessReflection API function.
+  Adversaries can use this technique to dump credentials material from the LSASS fork and evade
+  defenses.
+labels:
+  tactic.id: TA0006
+  tactic.name: Credential Access
+  tactic.ref: https://attack.mitre.org/tactics/TA0006/
+  technique.id: T1003
+  technique.name: OS Credential Dumping
+  technique.ref: https://attack.mitre.org/techniques/T1003/
+  subtechnique.id: T1003.001
+  subtechnique.name: LSASS Memory
+  subtechnique.ref: https://attack.mitre.org/techniques/T1003/001/
+references:
+  - https://github.com/Offensive-Panda/LsassReflectDumping
+  - https://s3cur3th1ssh1t.github.io/Reflective-Dump-Tools/
+
+condition: >
+  spawn_process and ps.name ~= 'lsass.exe' and ps.child.name ~= 'lsass.exe'
+    and
+  thread.callstack.symbols imatches ('ntdll.dll!RtlCloneUserProcess', 'ntdll.dll!RtlCreateProcessReflection')
+action:
+  - name: kill
+
+severity: high
+
+min-engine-version: 2.2.0