Detection rules › Elastic
Potential Credential Access via DuplicateHandle in LSASS
Identifies suspicious access to an LSASS handle via DuplicateHandle from an unknown call trace module. This may indicate an attempt to bypass the NtOpenProcess API to evade detection and dump LSASS memory for credential access.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Credential Access | T1003 OS Credential Dumping, T1003.001 OS Credential Dumping: LSASS Memory |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 10 | ProcessAccess |
Stages and Predicates
Stage 1: eql:process
process.name:"lsass.exe" and winlog.event_data.CallTrace:"UNKNOWN" and winlog.event_data.GrantedAccess:0x40Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
process.name | wildcard |
|
winlog.event_data.CallTrace | wildcard |
|
winlog.event_data.GrantedAccess | eq |
|