Hi everyone,
after enabling "aggressive threat" protection" From sophos central, XDR started creating lots of cases for me, on almost all computers with this event:
WIN-DET-CREDS-HMPA-CREDGUARDCLONE-LSASSDUMP-1
I can't find much about it and I don't understand if it's a false positive or I should be seriously worried...
Intecept-X shows no anomalies on these computers.
I attach the detail of one of the events
{
"meta_eid": "xxxx",
"meta_public_ip": "x.x.x.x",
"meta_aggressive_activity": "True",
"meta_os_platform": "windows",
"meta_os_version": "10.0.19045",
"meta_domain_controller": "False",
"customer_region": "us-west-2",
"meta_ip_address": "10.81.234.132",
"meta_query_pack_version": "1.20.157",
"meta_boot_time": 1720599479,
"meta_endpoint_type": "computer",
"meta_hostname": "DT-XX",
"meta_mac_address": "00:ff:e5:8a:xx.xx",
"stream_ingest_time": "1720714159617",
"meta_os_name": "Microsoft Windows 10 Pro",
"customer_id": "3f3694b2-8e47-455b-bb7e-7ab28e2a9f18",
"meta_ip_mask": "255.255.255.0",
"meta_username": "mbartolotta.vpn",
"osquery_action": "added",
"calendar_time": 1720714066000,
"ioc_event_files": [
{
"file_path": "C:\\Windows\\SysWOW64\\WerFault.exe",
"sha256": "9c39e90ebfdea833750e4f85efd068c9a51132b03e6495c4b32de7e8e8414e3b",
"file_name": "WerFault.exe",
"command_line": "C:\\Windows\\SysWOW64\\WerFault.exe -pss -s 504 -p 14980 -ip 14980"
}
],
"event_count": 2,
"ioc_event_threat_source": "Behavioral",
"process_parent_path": "C:\\Windows\\System32\\svchost.exe",
"process_local_rep_signers": {
"reputationData": {
"isSigned": 1,
"signerInfo": [
{
"isValid": 1,
"signer": "Microsoft Windows"
}
]
}
},
"ioc_event_time": 1720714066000,
"process_cmd_line": "C:\\Windows\\SysWOW64\\WerFault.exe -pss -s 504 -p 14980 -ip 14980",
"process_name": "WerFault.exe",
"process_cmd_line_truncated": 0,
"ioc_event_events": [
{
"details": {
"alertId": "a8116287-c39e-465e-bd14-14fd5e0cf646",
"mitigation": {
"reason": "CredGuardClone",
"setting": "CredGuard",
"version": 0
},
"process": {
"image": {
"path": "C:\\Windows\\SysWOW64\\WerFault.exe",
"productName": "Windows Problem Reporting",
"productVersion": "10",
"sha256": {
"!sha256": "9c39e90ebfdea833750e4f85efd068c9a51132b03e6495c4b32de7e8e8414e3b"
},
"signed": true
},
"pid": 5436,
"spid": {
"!spid": "[5436:133651876655206231]"
}
},
"silent": true,
"thumbprints": [
{
"data": "cad8c0d1f3bc5593a394cc387351ce27cb673b19a7123644255fd700d6acd0e7",
"type": "Primary"
}
]
},
"eventSummary": "Process werfault.exe triggered HMPA CredGuardClone mitigation.",
"event_value": "CredGuardClone",
"report": "Mitigation CredGuardClone\r\nPolicy CredGuard\r\nTimestamp 2024-07-11T16:07:46\r\n\r\nPlatform 10.0.19045/x64 v992 06_3c-\r\nPID 5436\r\nWoW x86\r\nEnabled 08FF2E3040000006\r\nSilent 0002000000000000\r\nApplication C:\\Windows\\SysWOW64\\WerFault.exe\r\nCreated 2024-06-29T10:05:16\r\nModified 2024-06-29T10:05:16\r\nDescription Windows Problem Reporting 10\r\n\r\nCloning process (14980) via NtCreateProcessEx\n\r\nStack Trace\r\n# Address Module Location\r\n-- -------- ------------------------ ----------------------------------------\r\n1 0045C062 WerFault.exe \r\n 50 PUSH EAX\n 6804a94200 PUSH DWORD 0x42a904\n 50 PUSH EAX\n beb8a84200 MOV ESI, 0x42a8b8\n 8945e0 MOV [EBP-0x20], EAX\n 56 PUSH ESI\n 6864a84200 PUSH DWORD 0x42a864\n 6818010000 PUSH DWORD 0x118\n ff7504 PUSH DWORD [EBP+0x4]\n e817040000 CALL 0x45c49b\n 83c41c ADD ESP, 0x1c\n 837de000 CMP DWORD [EBP-0x20], 0x0\n 7571 JNZ 0x45c0fe\n 8b8df0feffff MOV ECX, [EBP-0x110]\n 85c9 TEST ECX, ECX\n 7467 JZ 0x45c0fe\n\r\n2 0045C3BD WerFault.exe \r\n3 00433A42 WerFault.exe \r\n4 0046FECA WerFault.exe \r\n5 7604FCC9 kernel32.dll BaseThreadInitThunk +0x19\r\n6 772180CE ntdll.dll RtlGetAppContainerNamedObjectPath +0x11e\r\n7 7721809E ntdll.dll RtlGetAppContainerNamedObjectPath +0xee\r\n\r\nLoaded Modules (33)\r\n-----------------------------------------------------------------------------\r\n0\r\n...truncated...\r\n)\r\n75EF0000-76010000 C:\\Windows\\System32\\ucrtbase.dll (Microsoft Corporation), \r\n version: 10.0.19041.3636 (WinBuild.160101.0800)\r\n76030000-76120000 C:\\Windows\\SysWOW64\\kernel32.dll (Microsoft Corporation), \r\n version: 10.0.19041.4474 (WinBuild.160101.0800)\r\n768F0000-76B2A000 C:\\Windows\\SysWOW64\\KernelBase.dll (Microsoft Corporation), \r\n version: 10.0.19041.4522 (WinBuild.160101.0800)\r\n76D00000-76E9D000 C:\\Windows\\System32\\USER32.dll (Microsoft Corporation), \r\n version: 10.0.19041.4522 (WinBuild.160101.0800)\r\n76EA0000-76F1B000 C:\\Windows\\System32\\msvcp_win.dll (Microsoft Corporation), \r\n version: 10.0.19041.3636 (WinBuild.160101.0800)\r\n76F20000-771A0000 C:\\Windows\\System32\\combase.dll (Microsoft Corporation), \r\n version: 10.0.19041.4412 (WinBuild.160101.0800)\r\n771A0000-771AA000 C:\\Windows\\System32\\wow64cpu.dll (Microsoft Corporation), \r\n version: 10.0.19041.3636 (WinBuild.160101.0800)\r\n771B0000-77354000 C:\\Windows\\SysWOW64\\ntdll.dll (Microsoft Corporation), \r\n version: 10.0.19041.4522 (WinBuild.160101.0800)\r\n\r\nProcess Trace\r\n1 C:\\Windows\\SysWOW64\\WerFault.exe [5436] *\r\n C:\\Windows\\SysWOW64\\WerFault.exe -pss -s 504 -p 14980 -ip 14980\r\n2 C:\\Windows\\System32\\svchost.exe [1776] *\r\n C:\\Windows\\System32\\svchost.exe -k WerSvcGroup\r\n3 C:\\Windows\\System32\\services.exe [960] *\r\n4 C:\\Windows\\System32\\wininit.exe [836] *\r\n wininit.exe\r\n\r\nServices\r\n1776 WerSvc\r\n\r\nDropped Files\r\n1 C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\7b2a790b-4899-41db-970e-6f1a7a894d0c\r\n Dropped by C:\\Windows\\SysWOW64\\WerFault.exe [5436]\r\n2 C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\f027e96d-cd6a-4f15-87c9-20590d9e03c1\r\n Dropped by C:\\Windows\\SysWOW64\\WerFault.exe [5436]\r\n1 C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\896bb261-a30a-4c1f-addf-8717f3193bf3\r\n Dropped by C:\\Windows\\System32\\svchost.exe [1776]\r\n\r\nThumbprint (pfn)\r\ncad8c0d1f3bc5593a394cc387351ce27cb673b19a7123644255fd700d6acd0e7",
"senderSpid": {
"!spid": "[2112:133650730837011942]"
},
"time": {
"!uint64": "133651876661915864"
},
"timestamp": {
"!uint64": "1720714066"
},
"type": "HmpaDetection",
"version": 2
},
{
"cmdline": "C:\\Windows\\SysWOW64\\WerFault.exe -pss -s 504 -p 14980 -ip 14980",
"event_value": "C:\\Windows\\SysWOW64\\WerFault.exe -pss -s 504 -p 14980 -ip 14980",
"irep": 5,
"newSpid": {
"!spid": "[5436:133651876655206231]"
},
"pwin32Path": "C:\\Windows\\System32\\svchost.exe",
"rep": 5,
"sha256": {
"!sha256": "9c39e90ebfdea833750e4f85efd068c9a51132b03e6495c4b32de7e8e8414e3b"
},
"spid": {
"!spid": "[1776:133651876653203662]"
},
"stid": {
"!stid": "[14408:133651876654535333]"
},
"time": {
"!uint64": "133651876655197713"
},
"type": "ProcessCreate",
"userSid": {
"!sid": "S-1-5-18"
},
"versionInfo": {
"CompanyName": "Microsoft Corporation",
"FileDescription": "Windows Problem Reporting",
"FileVersion": "10.0.19041.4474 (WinBuild.160101.0800)",
"InternalName": "WerFault",
"LegalCopyright": "© Microsoft Corporation. All rights reserved.",
"LegalTrademarks": "",
"OriginalFilename": "WerFault.exe",
"ProductName": "Microsoft® Windows® Operating System",
"ProductVersion": "10.0.19041.4474"
},
"win32Path": "C:\\Windows\\SysWOW64\\WerFault.exe"
},
{
"contextSummary": null,
"eventSummary": "werfault.exe is associated by SPID to the high-risk detection WIN-DET-CREDS-HMPA-CREDGUARDCLONE-LSASSDUMP-1.",
"indicator": "Risk_Correlated",
"insights": [
"Correlated_By_SPID",
"High_Risk_Correlated",
"Microsoft_Signed"
],
"process": "werfault.exe",
"riskState": "HIGH",
"spid": {
"!spid": "[5436:133651876655206231]"
},
"type": "AttackProfile",
"userSid": {
"!sid": "S-1-5-18"
}
}
],
"process_pua_score": 18,
"process_file_size": 489968,
"process_local_rep": 91,
"sophos_pid": "5436:133651876655206231",
"process_pid": 5436,
"ioc_event_path": "C:\\Windows\\SysWOW64\\WerFault.exe",
"process_ml_score_band": "LIKELY_BENIGN",
"process_ml_score": 6,
"ioc_events_size": 14668,
"ioc_event_username": "SYSTEM",
"process_parent_sophos_pid": "1776:133651876653203662",
"ioc_event_ttp_summary": "TA0006-T1003.001",
"process_path": "C:\\Windows\\SysWOW64\\WerFault.exe",
"process_parent_name": "svchost.exe",
"process_sha256": "9c39e90ebfdea833750e4f85efd068c9a51132b03e6495c4b32de7e8e8414e3b",
"ioc_event_sid": "S-1-5-18",
"ioc_event_event": "{\"time\":1720714066,\"mitre_ttps\":[{\"tactic\":\"TA0006\",\"technique\":\"T1003.001\",\"ttpDescriptionId\":\"T1003.001\",\"verbosity\":8}],\"detection_id\":\"CREDS-HMPA-CREDGUARDCLONE-LSASSDUMP-1\",\"sophos_tid\":\"14408:133651876654535333\",\"path\":\"C:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\"sid\":\"S-1-5-18\",\"username\":\"SYSTEM\",\"threat_source\":\"Behavioral\",\"events\":\"[{\\\"details\\\":{\\\"alertId\\\":\\\"a8116287-c39e-465e-bd14-14fd5e0cf646\\\",\\\"mitigation\\\":{\\\"reason\\\":\\\"CredGuardClone\\\",\\\"setting\\\":\\\"CredGuard\\\",\\\"version\\\":0},\\\"process\\\":{\\\"image\\\":{\\\"path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\WerFault.exe\\\",\\\"productName\\\":\\\"Windows Problem Reporting\\\",\\\"productVersion\\\":\\\"10\\\",\\\"sha256\\\":{\\\"!sha256\\\":\\\"9c39e90ebfdea833750e4f85efd068c9a51132b03e6495c4b32de7e8e8414e3b\\\"},\\\"signed\\\":true},\\\"pid\\\":5436,\\\"spid\\\":{\\\"!spid\\\":\\\"[5436:133651876655206231]\\\"}},\\\"silent\\\":true,\\\"thumbprints\\\":[{\\\"data\\\":\\\"cad8c0d1f3bc5593a394cc387351ce27cb673b19a7123644255fd700d6acd0e7\\\",\\\"type\\\":\\\"Primary\\\"}]},\\\"eventSummary\\\":\\\"Process werfault.exe triggered HMPA CredGuardClone mitigation.\\\",\\\"event_value\\\":\\\"CredGuardClone\\\",\\\"report\\\":\\\"Mitigation CredGuardClone\\\\r\\\\nPolicy CredGuard\\\\r\\\\nTimestamp 2024-07-11T16:07:46\\\\r\\\\n\\\\r\\\\nPlatform 10.0.19045/x64 v992 06_3c-\\\\r\\\\nPID 5436\\\\r\\\\nWoW x86\\\\r\\\\nEnabled 08FF2E3040000006\\\\r\\\\nSilent 0002000000000000\\\\r\\\\nApplication C:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\WerFault.exe\\\\r\\\\nCreated 2024-06-29T10:05:16\\\\r\\\\nModified 2024-06-29T10:05:16\\\\r\\\\nDescription Windows Problem Reporting 10\\\\r\\\\n\\\\r\\\\nCloning process (14980) via NtCreateProcessEx\\\\n\\\\r\\\\nStack Trace\\\\r\\\\n# Address Module Location\\\\r\\\\n-- -------- ------------------------ ----------------------------------------\\\\r\\\\n1 0045C062 WerFault.exe \\\\r\\\\n 50 PUSH EAX\\\\n 6804a94200 PUSH DWORD 0x42a904\\\\n 50 PUSH EAX\\\\n beb8a84200 MOV ESI, 0x42a8b8\\\\n 8945e0 MOV [EBP-0x20], EAX\\\\n 56 PUSH ESI\\\\n 6864a84200 PUSH DWORD 0x42a864\\\\n 6818010000 PUSH DWORD 0x118\\\\n ff7504 PUSH DWORD [EBP+0x4]\\\\n e817040000 CALL 0x45c49b\\\\n 83c41c ADD ESP, 0x1c\\\\n 837de000 CMP DWORD [EBP-0x20], 0x0\\\\n 7571 JNZ 0x45c0fe\\\\n 8b8df0feffff MOV ECX, [EBP-0x110]\\\\n 85c9 TEST ECX, ECX\\\\n 7467 JZ 0x45c0fe\\\\n\\\\r\\\\n2 0045C3BD WerFault.exe \\\\r\\\\n3 00433A42 WerFault.exe \\\\r\\\\n4 0046FECA WerFault.exe \\\\r\\\\n5 7604FCC9 kernel32.dll BaseThreadInitThunk +0x19\\\\r\\\\n6 772180CE ntdll.dll RtlGetAppContainerNamedObjectPath +0x11e\\\\r\\\\n7 7721809E ntdll.dll RtlGetAppContainerNamedObjectPath +0xee\\\\r\\\\n\\\\r\\\\nLoaded Modules (33)\\\\r\\\\n-----------------------------------------------------------------------------\\\\r\\\\n0\\\\r\\\\n...truncated...\\\\r\\\\n)\\\\r\\\\n75EF0000-76010000 C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\ucrtbase.dll (Microsoft Corporation), \\\\r\\\\n version: 10.0.19041.3636 (WinBuild.160101.0800)\\\\r\\\\n76030000-76120000 C:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\kernel32.dll (Microsoft Corporation), \\\\r\\\\n version: 10.0.19041.4474 (WinBuild.160101.0800)\\\\r\\\\n768F0000-76B2A000 C:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\KernelBase.dll (Microsoft Corporation), \\\\r\\\\n version: 10.0.19041.4522 (WinBuild.160101.0800)\\\\r\\\\n76D00000-76E9D000 C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\USER32.dll (Microsoft Corporation), \\\\r\\\\n version: 10.0.19041.4522 (WinBuild.160101.0800)\\\\r\\\\n76EA0000-76F1B000 C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msvcp_win.dll (Microsoft Corporation), \\\\r\\\\n version: 10.0.19041.3636 (WinBuild.160101.0800)\\\\r\\\\n76F20000-771A0000 C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\combase.dll (Microsoft Corporation), \\\\r\\\\n version: 10.0.19041.4412 (WinBuild.160101.0800)\\\\r\\\\n771A0000-771AA000 C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wow64cpu.dll (Microsoft Corporation), \\\\r\\\\n version: 10.0.19041.3636 (WinBuild.160101.0800)\\\\r\\\\n771B0000-77354000 C:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\ntdll.dll (Microsoft Corporation), \\\\r\\\\n version: 10.0.19041.4522 (WinBuild.160101.0800)\\\\r\\\\n\\\\r\\\\nProcess Trace\\\\r\\\\n1 C:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\WerFault.exe [5436] *\\\\r\\\\n C:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\WerFault.exe -pss -s 504 -p 14980 -ip 14980\\\\r\\\\n2 C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe [1776] *\\\\r\\\\n C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe -k WerSvcGroup\\\\r\\\\n3 C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\services.exe [960] *\\\\r\\\\n4 C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wininit.exe [836] *\\\\r\\\\n wininit.exe\\\\r\\\\n\\\\r\\\\nServices\\\\r\\\\n1776 WerSvc\\\\r\\\\n\\\\r\\\\nDropped Files\\\\r\\\\n1 C:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\WER\\\\\\\\Temp\\\\\\\\7b2a790b-4899-41db-970e-6f1a7a894d0c\\\\r\\\\n Dropped by C:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\WerFault.exe [5436]\\\\r\\\\n2 C:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\WER\\\\\\\\Temp\\\\\\\\f027e96d-cd6a-4f15-87c9-20590d9e03c1\\\\r\\\\n Dropped by C:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\WerFault.exe [5436]\\\\r\\\\n1 C:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\WER\\\\\\\\Temp\\\\\\\\896bb261-a30a-4c1f-addf-8717f3193bf3\\\\r\\\\n Dropped by C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe [1776]\\\\r\\\\n\\\\r\\\\nThumbprint (pfn)\\\\r\\\\ncad8c0d1f3bc5593a394cc387351ce27cb673b19a7123644255fd700d6acd0e7\\\",\\\"senderSpid\\\":{\\\"!spid\\\":\\\"[2112:133650730837011942]\\\"},\\\"time\\\":{\\\"!uint64\\\":\\\"133651876661915864\\\"},\\\"timestamp\\\":{\\\"!uint64\\\":\\\"1720714066\\\"},\\\"type\\\":\\\"HmpaDetection\\\",\\\"version\\\":2},{\\\"cmdline\\\":\\\"C:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\WerFault.exe -pss -s 504 -p 14980 -ip 14980\\\",\\\"event_value\\\":\\\"C:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\WerFault.exe -pss -s 504 -p 14980 -ip 14980\\\",\\\"irep\\\":5,\\\"newSpid\\\":{\\\"!spid\\\":\\\"[5436:133651876655206231]\\\"},\\\"pwin32Path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\",\\\"rep\\\":5,\\\"sha256\\\":{\\\"!sha256\\\":\\\"9c39e90ebfdea833750e4f85efd068c9a51132b03e6495c4b32de7e8e8414e3b\\\"},\\\"spid\\\":{\\\"!spid\\\":\\\"[1776:133651876653203662]\\\"},\\\"stid\\\":{\\\"!stid\\\":\\\"[14408:133651876654535333]\\\"},\\\"time\\\":{\\\"!uint64\\\":\\\"133651876655197713\\\"},\\\"type\\\":\\\"ProcessCreate\\\",\\\"userSid\\\":{\\\"!sid\\\":\\\"S-1-5-18\\\"},\\\"versionInfo\\\":{\\\"CompanyName\\\":\\\"Microsoft Corporation\\\",\\\"FileDescription\\\":\\\"Windows Problem Reporting\\\",\\\"FileVersion\\\":\\\"10.0.19041.4474 (WinBuild.160101.0800)\\\",\\\"InternalName\\\":\\\"WerFault\\\",\\\"LegalCopyright\\\":\\\"\\\\u00a9 Microsoft Corporation. All rights reserved.\\\",\\\"LegalTrademarks\\\":\\\"\\\",\\\"OriginalFilename\\\":\\\"WerFault.exe\\\",\\\"ProductName\\\":\\\"Microsoft\\\\u00ae Windows\\\\u00ae Operating System\\\",\\\"ProductVersion\\\":\\\"10.0.19041.4474\\\"},\\\"win32Path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\WerFault.exe\\\"},{\\\"contextSummary\\\":null,\\\"eventSummary\\\":\\\"werfault.exe is associated by SPID to the high-risk detection WIN-DET-CREDS-HMPA-CREDGUARDCLONE-LSASSDUMP-1.\\\",\\\"indicator\\\":\\\"Risk_Correlated\\\",\\\"insights\\\":[\\\"Correlated_By_SPID\\\",\\\"High_Risk_Correlated\\\",\\\"Microsoft_Signed\\\"],\\\"process\\\":\\\"werfault.exe\\\",\\\"riskState\\\":\\\"HIGH\\\",\\\"spid\\\":{\\\"!spid\\\":\\\"[5436:133651876655206231]\\\"},\\\"type\\\":\\\"AttackProfile\\\",\\\"userSid\\\":{\\\"!sid\\\":\\\"S-1-5-18\\\"}}]\"}",
"ioc_event_sophos_tid": "14408:133651876654535333",
"process_global_rep": -1,
"counter": 91,
"epoch": 1720426655,
"folded": 0,
"host_identifier": "4C4C4544-004B-5010-804C-C8C04F393932",
"query_name": "sophos_runtime_iocs_windows",
"numerics": false,
"tag": "stream",
"unix_time": 1720714066000
}