From 4ebe85b01712818f770fcc42b9abb12d0749a481 Mon Sep 17 00:00:00 2001 From: rabbitstack Date: Tue, 8 Apr 2025 21:36:03 +0200 Subject: [PATCH] feat(rules): LSASS process clone creation via reflection Identifies the creation of an LSASS clone process via RtlCreateProcessReflection API function. Adversaries can use this technique to dump credentials material from the LSASS fork and evade defenses. --- ..._process_clone_creation_via_reflection.yml | 31 +++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 rules/credential_access_lsass_process_clone_creation_via_reflection.yml diff --git a/rules/credential_access_lsass_process_clone_creation_via_reflection.yml b/rules/credential_access_lsass_process_clone_creation_via_reflection.yml new file mode 100644 index 000000000..fe5933f78 --- /dev/null +++ b/rules/credential_access_lsass_process_clone_creation_via_reflection.yml @@ -0,0 +1,31 @@ +name: LSASS process clone creation via reflection +id: cdf3810a-4832-446a-ac9d-d108cf2e313c +version: 1.0.0 +description: | + Identifies the creation of an LSASS clone process via RtlCreateProcessReflection API function. + Adversaries can use this technique to dump credentials material from the LSASS fork and evade + defenses. +labels: + tactic.id: TA0006 + tactic.name: Credential Access + tactic.ref: https://attack.mitre.org/tactics/TA0006/ + technique.id: T1003 + technique.name: OS Credential Dumping + technique.ref: https://attack.mitre.org/techniques/T1003/ + subtechnique.id: T1003.001 + subtechnique.name: LSASS Memory + subtechnique.ref: https://attack.mitre.org/techniques/T1003/001/ +references: + - https://github.com/Offensive-Panda/LsassReflectDumping + - https://s3cur3th1ssh1t.github.io/Reflective-Dump-Tools/ + +condition: > + spawn_process and ps.name ~= 'lsass.exe' and ps.child.name ~= 'lsass.exe' + and + thread.callstack.symbols imatches ('ntdll.dll!RtlCloneUserProcess', 'ntdll.dll!RtlCreateProcessReflection') +action: + - name: kill + +severity: high + +min-engine-version: 2.2.0