heroui logo

Potential LSASS Clone Creation via PssCaptureSnapShot

Elastic Detection Rules

View Source
Summary
This detection rule identifies the creation of a clone process of the LSASS (Local Security Authority Subsystem Service) via the PssCaptureSnapShot API. The detection specifically looks for instances where the parent process is the original LSASS process, which may indicate malicious attempts to evade detection and perform credential dumping. The rule is structured to analyze Windows security events (specifically event code 4688) across various Windows indices, including Winlogbeat and logs from various sources. By monitoring the creation of processes that match the LSASS executable criteria, security teams can identify potential threats to credential access. Users are encouraged to triage logs for these events to assess legitimacy and relevance to ongoing security incidents, implementing necessary responses to any suspicious activities.
Categories
  • Endpoint
  • Windows
  • Infrastructure
Data Sources
  • Process
  • Windows Registry
  • Application Log
ATT&CK Techniques
  • T1003
  • T1003.001
Created: 2021-11-27