IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Suspicious Module Loaded by LSASS
editSuspicious Module Loaded by LSASS
editIdentifies LSASS loading an unsigned or untrusted DLL. Windows Security Support Provider (SSP) DLLs are loaded into LSSAS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user’s Domain password or smart card PINs.
Rule type: eql
Rule indices:
- logs-endpoint.events.*
Severity: medium
Risk score: 47
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Endpoint
- OS: Windows
- Use Case: Threat Detection
- Tactic: Credential Access
- Data Source: Elastic Defend
Version: 5
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule query
editlibrary where host.os.type == "windows" and process.executable : "?:\\Windows\\System32\\lsass.exe" and
not (dll.code_signature.subject_name :
("Microsoft Windows",
"Microsoft Corporation",
"Microsoft Windows Publisher",
"Microsoft Windows Software Compatibility Publisher",
"Microsoft Windows Hardware Compatibility Publisher",
"McAfee, Inc.",
"SecMaker AB",
"HID Global Corporation",
"HID Global",
"Apple Inc.",
"Citrix Systems, Inc.",
"Dell Inc",
"Hewlett-Packard Company",
"Symantec Corporation",
"National Instruments Corporation",
"DigitalPersona, Inc.",
"Novell, Inc.",
"gemalto",
"EasyAntiCheat Oy",
"Entrust Datacard Corporation",
"AuriStor, Inc.",
"LogMeIn, Inc.",
"VMware, Inc.",
"Istituto Poligrafico e Zecca dello Stato S.p.A.",
"Nubeva Technologies Ltd",
"Micro Focus (US), Inc.",
"Yubico AB",
"GEMALTO SA",
"Secure Endpoints, Inc.",
"Sophos Ltd",
"Morphisec Information Security 2014 Ltd",
"Entrust, Inc.",
"Nubeva Technologies Ltd",
"Micro Focus (US), Inc.",
"F5 Networks Inc",
"Bit4id",
"Thales DIS CPL USA, Inc.",
"Micro Focus International plc",
"HYPR Corp",
"Intel(R) Software Development Products",
"PGP Corporation",
"Parallels International GmbH",
"FrontRange Solutions Deutschland GmbH",
"SecureLink, Inc.",
"Tidexa OU",
"Amazon Web Services, Inc.",
"SentryBay Limited",
"Audinate Pty Ltd",
"CyberArk Software Ltd.",
"McAfeeSysPrep",
"NVIDIA Corporation PE Sign v2016") and
dll.code_signature.status : ("trusted", "errorExpired", "errorCode_endpoint*", "errorChaining")) and
not dll.hash.sha256 :
("811a03a5d7c03802676d2613d741be690b3461022ea925eb6b2651a5be740a4c",
"1181542d9cfd63fb00c76242567446513e6773ea37db6211545629ba2ecf26a1",
"ed6e735aa6233ed262f50f67585949712f1622751035db256811b4088c214ce3",
"26be2e4383728eebe191c0ab19706188f0e9592add2e0bf86b37442083ae5e12",
"9367e78b84ef30cf38ab27776605f2645e52e3f6e93369c674972b668a444faa",
"d46cc934765c5ecd53867070f540e8d6f7701e834831c51c2b0552aba871921b",
"0f77a3826d7a5cd0533990be0269d951a88a5c277bc47cff94553330b715ec61",
"4aca034d3d85a9e9127b5d7a10882c2ef4c3e0daa3329ae2ac1d0797398695fb",
"86031e69914d9d33c34c2f4ac4ae523cef855254d411f88ac26684265c981d95")
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Credential Access
- ID: TA0006
- Reference URL: https://attack.mitre.org/tactics/TA0006/
-
Technique:
- Name: OS Credential Dumping
- ID: T1003
- Reference URL: https://attack.mitre.org/techniques/T1003/
-
Sub-technique:
- Name: LSASS Memory
- ID: T1003.001
- Reference URL: https://attack.mitre.org/techniques/T1003/001/