nldcsc-elastic-rules 0.0.8__py3-none-any.whl

nldcsc_elastic_rules/rules/windows/credential_access_kirbi_file.toml

@@ -0,0 +1,103 @@
+[metadata]
+creation_date = "2023/08/23"
+integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"]
+maturity = "production"
+updated_date = "2025/03/20"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies the creation of .kirbi files. The creation of this kind of file is an indicator of an attacker running
+Kerberos ticket dump utilities, such as Mimikatz, and precedes attacks such as Pass-The-Ticket (PTT), which allows the
+attacker to impersonate users using Kerberos tickets.
+"""
+from = "now-9m"
+index = [
+    "logs-endpoint.events.file-*",
+    "logs-windows.sysmon_operational-*",
+    "logs-sentinel_one_cloud_funnel.*",
+    "logs-m365_defender.event-*",
+    "winlogbeat-*",
+    "endgame-*",
+    "logs-crowdstrike.fdr*",
+]
+language = "eql"
+license = "Elastic License v2"
+name = "Kirbi File Creation"
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating Kirbi File Creation
+
+Kirbi files are associated with Kerberos, a network authentication protocol used in Windows environments to verify user identities. Adversaries exploit this by using tools like Mimikatz to extract Kerberos tickets, enabling unauthorized access through techniques like Pass-The-Ticket. The detection rule identifies the creation of these files, signaling potential credential dumping activities, by monitoring file creation events with a specific extension on Windows systems.
+
+### Possible investigation steps
+
+- Review the alert details to identify the specific host where the .kirbi file was created, focusing on the host.os.type field to confirm it is a Windows system.
+- Examine the file creation event logs to determine the exact timestamp of the .kirbi file creation and correlate it with other security events around the same time.
+- Investigate the user account associated with the file creation event to determine if it is a legitimate user or potentially compromised, using the event data to identify the user.
+- Check for any recent logins or authentication attempts on the affected host that may indicate unauthorized access, focusing on unusual or unexpected activity.
+- Analyze the process tree and parent processes related to the file creation event to identify any suspicious or unauthorized processes that may have led to the creation of the .kirbi file.
+- Look for additional indicators of compromise on the host, such as other suspicious file creations, modifications, or network connections, to assess the scope of the potential breach.
+- Consult threat intelligence sources or internal threat databases to determine if the detected activity matches known attack patterns or threat actor behaviors associated with Kerberos ticket dumping.
+
+### False positive analysis
+
+- Legitimate administrative tools or scripts that manage Kerberos tickets may create .kirbi files as part of their normal operations. Review the context of the file creation event to determine if it aligns with expected administrative activities.
+- Scheduled tasks or automated processes that involve Kerberos ticket management might trigger this rule. Identify and document these processes, and consider creating exceptions for known, benign activities.
+- Security software or monitoring tools that interact with Kerberos tickets for auditing or compliance purposes could generate .kirbi files. Verify the source of the file creation and whitelist trusted applications or processes.
+- Development or testing environments where Kerberos authentication is being simulated or tested may produce .kirbi files. Ensure these environments are well-documented and apply exclusions where necessary to avoid false alerts.
+
+### Response and remediation
+
+- Isolate the affected system from the network immediately to prevent further unauthorized access or lateral movement by the attacker.
+- Terminate any suspicious processes associated with Mimikatz or other credential dumping tools to halt ongoing malicious activities.
+- Conduct a thorough review of recent authentication logs and Kerberos ticket activity to identify any unauthorized access or ticket usage.
+- Reset passwords for all potentially compromised accounts, prioritizing those with elevated privileges, to mitigate the risk of further exploitation.
+- Revoke all active Kerberos tickets and force re-authentication for all users to ensure that any stolen tickets are rendered useless.
+- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the full scope of the breach.
+- Implement enhanced monitoring and logging for Kerberos-related activities to detect and respond to similar threats more effectively in the future."""
+risk_score = 73
+rule_id = "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a"
+severity = "high"
+tags = [
+    "Domain: Endpoint",
+    "OS: Windows",
+    "Use Case: Threat Detection",
+    "Tactic: Credential Access",
+    "Data Source: Elastic Defend",
+    "Data Source: Sysmon",
+    "Data Source: SentinelOne",
+    "Data Source: Microsoft Defender for Endpoint",
+    "Data Source: Elastic Endgame",
+    "Data Source: Crowdstrike",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+file where host.os.type == "windows" and event.type == "creation" and file.extension : "kirbi"
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1003"
+name = "OS Credential Dumping"
+reference = "https://attack.mitre.org/techniques/T1003/"
+
+[[rule.threat.technique]]
+id = "T1558"
+name = "Steal or Forge Kerberos Tickets"
+reference = "https://attack.mitre.org/techniques/T1558/"
+
+
+[rule.threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"
+

nldcsc_elastic_rules/rules/windows/credential_access_ldap_attributes.toml

@@ -0,0 +1,158 @@
+[metadata]
+creation_date = "2022/11/09"
+integration = ["system", "windows"]
+maturity = "production"
+updated_date = "2025/11/14"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identify access to sensitive Active Directory object attributes that contains credentials and decryption keys such as
+unixUserPassword, ms-PKI-AccountCredentials and msPKI-CredentialRoamingTokens.
+"""
+from = "now-9m"
+index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Access to a Sensitive LDAP Attribute"
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating Access to a Sensitive LDAP Attribute
+
+LDAP (Lightweight Directory Access Protocol) is crucial for accessing and managing directory information in Active Directory environments. Adversaries may exploit LDAP to access sensitive attributes like passwords and decryption keys, facilitating credential theft or privilege escalation. The detection rule identifies unauthorized access attempts by monitoring specific event codes and attribute identifiers, excluding benign activities to reduce noise, thus highlighting potential security threats.
+
+### Possible investigation steps
+
+- Review the event logs for event code 4662 to identify the specific user or process attempting to access the sensitive LDAP attributes.
+- Check the winlog.event_data.SubjectUserSid to determine the identity of the user or service account involved in the access attempt, excluding the well-known SID S-1-5-18 (Local System).
+- Analyze the winlog.event_data.Properties field to confirm which sensitive attribute was accessed, such as unixUserPassword, ms-PKI-AccountCredentials, or msPKI-CredentialRoamingTokens.
+- Investigate the context of the access attempt by correlating the event with other logs or alerts around the same timestamp to identify any suspicious patterns or activities.
+- Verify the legitimacy of the access by checking if the user or process has a valid reason or permission to access the sensitive attributes, considering the organization's access control policies.
+- Assess the potential impact of the access attempt on the organization's security posture, focusing on credential theft or privilege escalation risks.
+- Document findings and, if necessary, escalate the incident to the appropriate security team for further action or remediation.
+
+### False positive analysis
+
+- Access by legitimate administrative accounts: Regular access by system administrators to sensitive LDAP attributes can trigger alerts. To manage this, create exceptions for known administrative accounts by excluding their SIDs from the detection rule.
+- Scheduled system processes: Automated tasks or system processes that require access to certain LDAP attributes may cause false positives. Identify these processes and exclude their specific event codes or AccessMasks if they are consistently benign.
+- Service accounts: Service accounts that perform routine directory operations might access sensitive attributes as part of their normal function. Exclude these accounts by adding their SIDs to the exception list to prevent unnecessary alerts.
+- Monitoring tools: Security or monitoring tools that scan directory attributes for compliance or auditing purposes can generate false positives. Whitelist these tools by excluding their event sources or specific actions from the detection criteria.
+
+### Response and remediation
+
+- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration.
+- Conduct a thorough review of the access logs to identify any unauthorized users or systems that accessed the sensitive LDAP attributes.
+- Reset passwords and revoke any potentially compromised credentials associated with the affected accounts, focusing on those with access to sensitive attributes.
+- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the scope of the breach.
+- Implement additional monitoring on the affected systems and accounts to detect any further suspicious activities or attempts to access sensitive LDAP attributes.
+- Review and update access controls and permissions for sensitive LDAP attributes to ensure they are restricted to only necessary personnel.
+- Conduct a post-incident analysis to identify any gaps in security controls and update policies or procedures to prevent similar incidents in the future."""
+references = [
+    "https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming",
+    "https://social.technet.microsoft.com/wiki/contents/articles/11483.windows-credential-roaming.aspx",
+    "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662",
+]
+risk_score = 47
+rule_id = "764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66"
+setup = """## Setup
+
+The 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).
+Steps to implement the logging policy with Advanced Audit Configuration:
+
+```
+Computer Configuration >
+Policies >
+Windows Settings >
+Security Settings >
+Advanced Audit Policies Configuration >
+Audit Policies >
+DS Access >
+Audit Directory Service Access (Success,Failure)
+```
+"""
+severity = "medium"
+tags = [
+    "Domain: Endpoint",
+    "OS: Windows",
+    "Use Case: Threat Detection",
+    "Tactic: Credential Access",
+    "Tactic: Privilege Escalation",
+    "Use Case: Active Directory Monitoring",
+    "Data Source: Active Directory",
+    "Data Source: Windows Security Event Logs",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+any where host.os.type == "windows" and event.code == "4662" and
+
+  not winlog.event_data.SubjectUserSid : "S-1-5-18" and
+
+  winlog.event_data.Properties : (
+   /* unixUserPassword */
+  "*612cb747-c0e8-4f92-9221-fdd5f15b550d*",
+
+  /* ms-PKI-AccountCredentials */
+  "*b8dfa744-31dc-4ef1-ac7c-84baf7ef9da7*",
+
+  /*  ms-PKI-DPAPIMasterKeys */
+  "*b3f93023-9239-4f7c-b99c-6745d87adbc2*",
+
+  /* msPKI-CredentialRoamingTokens */
+  "*b7ff5a38-0818-42b0-8110-d3d154c97f24*"
+  ) and
+
+  /*
+   Excluding noisy AccessMasks
+   0x0 undefined and 0x100 Control Access
+   https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662
+   */
+  not winlog.event_data.AccessMask in ("0x0", "0x100")
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1003"
+name = "OS Credential Dumping"
+reference = "https://attack.mitre.org/techniques/T1003/"
+
+[[rule.threat.technique]]
+id = "T1552"
+name = "Unsecured Credentials"
+reference = "https://attack.mitre.org/techniques/T1552/"
+[[rule.threat.technique.subtechnique]]
+id = "T1552.004"
+name = "Private Keys"
+reference = "https://attack.mitre.org/techniques/T1552/004/"
+
+
+
+[rule.threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1078"
+name = "Valid Accounts"
+reference = "https://attack.mitre.org/techniques/T1078/"
+[[rule.threat.technique.subtechnique]]
+id = "T1078.002"
+name = "Domain Accounts"
+reference = "https://attack.mitre.org/techniques/T1078/002/"
+
+
+
+[rule.threat.tactic]
+id = "TA0004"
+name = "Privilege Escalation"
+reference = "https://attack.mitre.org/tactics/TA0004/"
+

nldcsc_elastic_rules/rules/windows/credential_access_lsass_handle_via_malseclogon.toml

@@ -0,0 +1,105 @@
+[metadata]
+creation_date = "2022/06/29"
+integration = ["windows"]
+maturity = "production"
+updated_date = "2025/03/20"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies suspicious access to LSASS handle from a call trace pointing to seclogon.dll and with a suspicious access
+rights value. This may indicate an attempt to leak an LSASS handle via abusing the Secondary Logon service in
+preparation for credential access.
+"""
+from = "now-9m"
+index = ["winlogbeat-*", "logs-windows.sysmon_operational-*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Suspicious LSASS Access via MalSecLogon"
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating Suspicious LSASS Access via MalSecLogon
+
+The Local Security Authority Subsystem Service (LSASS) is crucial for managing security policies and user authentication in Windows environments. Adversaries may exploit the Secondary Logon service to gain unauthorized access to LSASS, aiming to extract sensitive credentials. The detection rule identifies this threat by monitoring for unusual access patterns involving LSASS, specifically when the seclogon.dll is involved, indicating potential credential dumping activities.
+
+### Possible investigation steps
+
+- Review the event logs for the specific event code "10" to gather more details about the process that triggered the alert, focusing on the time of occurrence and any associated user accounts.
+- Examine the process details for "svchost.exe" to determine if it is running under an expected service or if there are any anomalies in its execution context, such as unusual parent processes or command-line arguments.
+- Investigate the call trace involving "seclogon.dll" to understand the sequence of events leading to the LSASS access, and check for any other suspicious modules or DLLs loaded in the process.
+- Analyze the granted access value "0x14c0" to confirm if it aligns with typical access patterns for legitimate processes interacting with LSASS, and identify any deviations that could indicate malicious intent.
+- Correlate the alert with other security events or logs from the same host or user account to identify any patterns or additional indicators of compromise, such as failed login attempts or other suspicious process activities.
+- Check for any recent changes or updates to the system that might explain the unusual behavior, such as software installations, patches, or configuration changes that could affect the Secondary Logon service or LSASS.
+
+### False positive analysis
+
+- Legitimate administrative tools or scripts that require access to LSASS for system management tasks may trigger this rule. Users can create exceptions for known tools by excluding specific process names or paths that are verified as safe.
+- Security software or endpoint protection solutions that perform regular scans and require access to LSASS might be flagged. Coordinate with security vendors to identify these processes and exclude them from the rule.
+- System updates or patches that involve the Secondary Logon service could cause temporary access patterns that mimic suspicious behavior. Monitor update schedules and temporarily adjust the rule to prevent false alerts during these periods.
+- Custom enterprise applications that utilize the Secondary Logon service for legitimate purposes may inadvertently match the rule criteria. Work with application developers to understand these access patterns and whitelist the associated processes.
+
+### Response and remediation
+
+- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration.
+- Terminate any suspicious processes associated with svchost.exe that are accessing LSASS with the identified suspicious access rights.
+- Conduct a thorough review of user accounts and privileges on the affected system to identify any unauthorized changes or access.
+- Reset passwords for all accounts that may have been compromised, focusing on high-privilege accounts first.
+- Collect and preserve relevant logs and forensic data from the affected system for further analysis and potential legal action.
+- Escalate the incident to the security operations center (SOC) or incident response team for a comprehensive investigation and to determine the full scope of the breach.
+- Implement additional monitoring and alerting for similar suspicious activities involving LSASS and seclogon.dll to enhance detection capabilities."""
+references = ["https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html"]
+risk_score = 73
+rule_id = "7ba58110-ae13-439b-8192-357b0fcfa9d7"
+setup = """## Setup
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
+events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
+Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
+`event.ingested` to @timestamp.
+For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
+"""
+severity = "high"
+tags = [
+    "Domain: Endpoint",
+    "OS: Windows",
+    "Use Case: Threat Detection",
+    "Tactic: Credential Access",
+    "Data Source: Sysmon",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+process where host.os.type == "windows" and event.code == "10" and
+  winlog.event_data.TargetImage : "?:\\WINDOWS\\system32\\lsass.exe" and
+
+   /* seclogon service accessing lsass */
+  winlog.event_data.CallTrace : "*seclogon.dll*" and process.name : "svchost.exe" and
+
+   /* PROCESS_CREATE_PROCESS & PROCESS_DUP_HANDLE & PROCESS_QUERY_INFORMATION */
+  winlog.event_data.GrantedAccess == "0x14c0"
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1003"
+name = "OS Credential Dumping"
+reference = "https://attack.mitre.org/techniques/T1003/"
+[[rule.threat.technique.subtechnique]]
+id = "T1003.001"
+name = "LSASS Memory"
+reference = "https://attack.mitre.org/techniques/T1003/001/"
+
+
+
+[rule.threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"
+

nldcsc_elastic_rules/rules/windows/credential_access_lsass_loaded_susp_dll.toml

@@ -0,0 +1,160 @@
+[metadata]
+creation_date = "2022/12/28"
+integration = ["endpoint"]
+maturity = "production"
+updated_date = "2025/01/15"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies LSASS loading an unsigned or untrusted DLL. Windows Security Support Provider (SSP) DLLs are loaded into
+LSSAS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that
+are stored in Windows, such as any logged-on user's Domain password or smart card PINs.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.library-*", "endgame-*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Suspicious Module Loaded by LSASS"
+references = ["https://blog.xpnsec.com/exploring-mimikatz-part-2/", "https://github.com/jas502n/mimikat_ssp"]
+risk_score = 47
+rule_id = "3a6001a0-0939-4bbe-86f4-47d8faeb7b97"
+severity = "medium"
+tags = [
+    "Domain: Endpoint",
+    "OS: Windows",
+    "Use Case: Threat Detection",
+    "Tactic: Credential Access",
+    "Data Source: Elastic Defend",
+    "Data Source: Elastic Endgame",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+any where event.category in ("library", "driver") and host.os.type == "windows" and
+  process.executable : "?:\\Windows\\System32\\lsass.exe" and
+  not (dll.code_signature.subject_name :
+               ("Microsoft Windows",
+                "Microsoft Corporation",
+                "Microsoft Windows Publisher",
+                "Microsoft Windows Software Compatibility Publisher",
+                "Microsoft Windows Hardware Compatibility Publisher",
+                "McAfee, Inc.",
+                "SecMaker AB",
+                "HID Global Corporation",
+                "HID Global",
+                "Apple Inc.",
+                "Citrix Systems, Inc.",
+                "Dell Inc",
+                "Hewlett-Packard Company",
+                "Symantec Corporation",
+                "National Instruments Corporation",
+                "DigitalPersona, Inc.",
+                "Novell, Inc.",
+                "gemalto",
+                "EasyAntiCheat Oy",
+                "Entrust Datacard Corporation",
+                "AuriStor, Inc.",
+                "LogMeIn, Inc.",
+                "VMware, Inc.",
+                "Istituto Poligrafico e Zecca dello Stato S.p.A.",
+                "Nubeva Technologies Ltd",
+                "Micro Focus (US), Inc.",
+                "Yubico AB",
+                "GEMALTO SA",
+                "Secure Endpoints, Inc.",
+                "Sophos Ltd",
+                "Morphisec Information Security 2014 Ltd",
+                "Entrust, Inc.",
+                "Nubeva Technologies Ltd",
+                "Micro Focus (US), Inc.",
+                "F5 Networks Inc",
+                "Bit4id",
+                "Thales DIS CPL USA, Inc.",
+                "Micro Focus International plc",
+                "HYPR Corp",
+                "Intel(R) Software Development Products",
+                "PGP Corporation",
+                "Parallels International GmbH",
+                "FrontRange Solutions Deutschland GmbH",
+                "SecureLink, Inc.",
+                "Tidexa OU",
+                "Amazon Web Services, Inc.",
+                "SentryBay Limited",
+                "Audinate Pty Ltd",
+                "CyberArk Software Ltd.",
+                "McAfeeSysPrep",
+                "NVIDIA Corporation PE Sign v2016",
+                "Trend Micro, Inc.",
+                "Fortinet Technologies (Canada) Inc.",
+                "Carbon Black, Inc.") and
+       dll.code_signature.status : ("trusted", "errorExpired", "errorCode_endpoint*", "errorChaining")) and
+
+     not dll.hash.sha256 :
+                ("811a03a5d7c03802676d2613d741be690b3461022ea925eb6b2651a5be740a4c",
+                 "1181542d9cfd63fb00c76242567446513e6773ea37db6211545629ba2ecf26a1",
+                 "ed6e735aa6233ed262f50f67585949712f1622751035db256811b4088c214ce3",
+                 "26be2e4383728eebe191c0ab19706188f0e9592add2e0bf86b37442083ae5e12",
+                 "9367e78b84ef30cf38ab27776605f2645e52e3f6e93369c674972b668a444faa",
+                 "d46cc934765c5ecd53867070f540e8d6f7701e834831c51c2b0552aba871921b",
+                 "0f77a3826d7a5cd0533990be0269d951a88a5c277bc47cff94553330b715ec61",
+                 "4aca034d3d85a9e9127b5d7a10882c2ef4c3e0daa3329ae2ac1d0797398695fb",
+                 "86031e69914d9d33c34c2f4ac4ae523cef855254d411f88ac26684265c981d95")
+'''
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating Suspicious Module Loaded by LSASS
+
+The Local Security Authority Subsystem Service (LSASS) is crucial for managing security policies and handling user authentication in Windows environments. Adversaries exploit LSASS by loading malicious or untrusted DLLs to access sensitive credentials. The detection rule identifies such threats by monitoring LSASS for unsigned or untrusted DLLs, excluding known safe signatures and hashes, thus flagging potential credential dumping activities.
+
+### Possible investigation steps
+
+- Review the process details for lsass.exe to confirm the presence of any unsigned or untrusted DLLs loaded into the process. Pay particular attention to the DLL's code signature status and hash values.
+- Cross-reference the identified DLL's hash against known malicious hashes in threat intelligence databases to determine if it is associated with any known threats.
+- Investigate the source and path of the suspicious DLL to understand how it was introduced into the system. This may involve checking recent file creation or modification events in the system directories.
+- Analyze the system's event logs for any related activities or anomalies around the time the suspicious DLL was loaded, such as unusual user logins or privilege escalation attempts.
+- Check for any recent changes in the system's security settings or policies that might have allowed the loading of untrusted DLLs into LSASS.
+- If the DLL is confirmed to be malicious, isolate the affected system to prevent further credential access or lateral movement within the network.
+
+### False positive analysis
+
+- Legitimate software from trusted vendors not included in the exclusion list may trigger false positives. Users can update the exclusion list with additional trusted signatures or hashes from verified vendors to prevent these alerts.
+- Custom or in-house developed DLLs used within the organization might be flagged as suspicious. Organizations should ensure these DLLs are signed with a trusted certificate and add their signatures to the exclusion list if necessary.
+- Security software updates or patches from vendors not currently listed may cause false positives. Regularly review and update the exclusion list to include new trusted signatures from security software providers.
+- Temporary or expired certificates for legitimate DLLs can result in false positives. Users should verify the legitimacy of these DLLs and update the exclusion list with their signatures if they are confirmed safe.
+- DLLs from newly installed software that are not yet recognized as trusted may be flagged. Users should validate the software's source and add its signatures to the exclusion list if it is deemed secure.
+
+### Response and remediation
+
+- Isolate the affected system from the network to prevent further unauthorized access or data exfiltration.
+- Terminate the LSASS process if it is confirmed to be running a malicious or untrusted DLL, ensuring that this action does not disrupt critical services.
+- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any malicious files or remnants.
+- Review and reset credentials for any accounts that may have been compromised, focusing on those with elevated privileges.
+- Implement application whitelisting to prevent unauthorized DLLs from being loaded into critical processes like LSASS in the future.
+- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
+- Update security monitoring tools to enhance detection capabilities for similar threats, ensuring that alerts are generated for any future attempts to load untrusted DLLs into LSASS."""
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1003"
+name = "OS Credential Dumping"
+reference = "https://attack.mitre.org/techniques/T1003/"
+[[rule.threat.technique.subtechnique]]
+id = "T1003.001"
+name = "LSASS Memory"
+reference = "https://attack.mitre.org/techniques/T1003/001/"
+
+
+
+[rule.threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"
+