Multiple Case of: WIN-DET-CREDS-HMPA-CREDGUARDCLONE-LSASSDUMP-1

Question

Hi everyone, after enabling "aggressive threat" protection" From sophos central, XDR started creating lots of cases for me, on almost all computers with this event: WIN-DET-CREDS-HMPA-CREDGUARDCLONE-LSASSDUMP-1 I can't find much about it and I don't understand if it's a false positive or I should be seriously worried... Intecept-X shows no anomalies on these computers. I attach the detail of one of the events 
 
 {
 "meta_eid": "xxxx",
 "meta_public_ip": "x.x.x.x",
 "meta_aggressive_activity": "True",
 "meta_os_platform": "windows",
 "meta_os_version": "10.0.19045",
 "meta_domain_controller": "False",
 "customer_region": "us-west-2",
 "meta_ip_address": "10.81.234.132",
 "meta_query_pack_version": "1.20.157",
 "meta_boot_time": 1720599479,
 "meta_endpoint_type": "computer",
 "meta_hostname": "DT-XX",
 "meta_mac_address": "00:ff:e5:8a:xx.xx",
 "stream_ingest_time": "1720714159617",
 "meta_os_name": "Microsoft Windows 10 Pro",
 "customer_id": "3f3694b2-8e47-455b-bb7e-7ab28e2a9f18",
 "meta_ip_mask": "255.255.255.0",
 "meta_username": "mbartolotta.vpn",
 "osquery_action": "added",
 "calendar_time": 1720714066000,
 "ioc_event_files": [
 {
 "file_path": "C:\Windows\SysWOW64\WerFault.exe",
 "sha256": "9c39e90ebfdea833750e4f85efd068c9a51132b03e6495c4b32de7e8e8414e3b",
 "file_name": "WerFault.exe",
 "command_line": "C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 14980 -ip 14980"
 }
 ],
 "event_count": 2,
 "ioc_event_threat_source": "Behavioral",
 "process_parent_path": "C:\Windows\System32\svchost.exe",
 "process_local_rep_signers": {
 "reputationData": {
 "isSigned": 1,
 "signerInfo": [
 {
 "isValid": 1,
 "signer": "Microsoft Windows"
 }
 ]
 }
 },
 "ioc_event_time": 1720714066000,
 "process_cmd_line": "C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 14980 -ip 14980",
 "process_name": "WerFault.exe",
 "process_cmd_line_truncated": 0,
 "ioc_event_events": [
 {
 "details": {
 "alertId": "a8116287-c39e-465e-bd14-14fd5e0cf646",
 "mitigation": {
 "reason": "CredGuardClone",
 "setting": "CredGuard",
 "version": 0
 },
 "process": {
 "image": {
 "path": "C:\Windows\SysWOW64\WerFault.exe",
 "productName": "Windows Problem Reporting",
 "productVersion": "10",
 "sha256": {
 "!sha256": "9c39e90ebfdea833750e4f85efd068c9a51132b03e6495c4b32de7e8e8414e3b"
 },
 "signed": true
 },
 "pid": 5436,
 "spid": {
 "!spid": "[5436:133651876655206231]"
 }
 },
 "silent": true,
 "thumbprints": [
 {
 "data": "cad8c0d1f3bc5593a394cc387351ce27cb673b19a7123644255fd700d6acd0e7",
 "type": "Primary"
 }
 ]
 },
 "eventSummary": "Process werfault.exe triggered HMPA CredGuardClone mitigation.",
 "event_value": "CredGuardClone",
 "report": "Mitigation CredGuardClone
Policy CredGuard
Timestamp 2024-07-11T16:07:46

Platform 10.0.19045/x64 v992 06_3c-
PID 5436
WoW x86
Enabled 08FF2E3040000006
Silent 0002000000000000
Application C:\Windows\SysWOW64\WerFault.exe
Created 2024-06-29T10:05:16
Modified 2024-06-29T10:05:16
Description Windows Problem Reporting 10

Cloning process (14980) via NtCreateProcessEx

Stack Trace
# Address Module Location
-- -------- ------------------------ ----------------------------------------
1 0045C062 WerFault.exe 
 50 PUSH EAX
 6804a94200 PUSH DWORD 0x42a904
 50 PUSH EAX
 beb8a84200 MOV ESI, 0x42a8b8
 8945e0 MOV [EBP-0x20], EAX
 56 PUSH ESI
 6864a84200 PUSH DWORD 0x42a864
 6818010000 PUSH DWORD 0x118
 ff7504 PUSH DWORD [EBP+0x4]
 e817040000 CALL 0x45c49b
 83c41c ADD ESP, 0x1c
 837de000 CMP DWORD [EBP-0x20], 0x0
 7571 JNZ 0x45c0fe
 8b8df0feffff MOV ECX, [EBP-0x110]
 85c9 TEST ECX, ECX
 7467 JZ 0x45c0fe

2 0045C3BD WerFault.exe 
3 00433A42 WerFault.exe 
4 0046FECA WerFault.exe 
5 7604FCC9 kernel32.dll BaseThreadInitThunk +0x19
6 772180CE ntdll.dll RtlGetAppContainerNamedObjectPath +0x11e
7 7721809E ntdll.dll RtlGetAppContainerNamedObjectPath +0xee

Loaded Modules (33)
-----------------------------------------------------------------------------
0
...truncated...
)
75EF0000-76010000 C:\Windows\System32\ucrtbase.dll (Microsoft Corporation), 
 version: 10.0.19041.3636 (WinBuild.160101.0800)
76030000-76120000 C:\Windows\SysWOW64\kernel32.dll (Microsoft Corporation), 
 version: 10.0.19041.4474 (WinBuild.160101.0800)
768F0000-76B2A000 C:\Windows\SysWOW64\KernelBase.dll (Microsoft Corporation), 
 version: 10.0.19041.4522 (WinBuild.160101.0800)
76D00000-76E9D000 C:\Windows\System32\USER32.dll (Microsoft Corporation), 
 version: 10.0.19041.4522 (WinBuild.160101.0800)
76EA0000-76F1B000 C:\Windows\System32\msvcp_win.dll (Microsoft Corporation), 
 version: 10.0.19041.3636 (WinBuild.160101.0800)
76F20000-771A0000 C:\Windows\System32\combase.dll (Microsoft Corporation), 
 version: 10.0.19041.4412 (WinBuild.160101.0800)
771A0000-771AA000 C:\Windows\System32\wow64cpu.dll (Microsoft Corporation), 
 version: 10.0.19041.3636 (WinBuild.160101.0800)
771B0000-77354000 C:\Windows\SysWOW64\ntdll.dll (Microsoft Corporation), 
 version: 10.0.19041.4522 (WinBuild.160101.0800)

Process Trace
1 C:\Windows\SysWOW64\WerFault.exe [5436] *
 C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 14980 -ip 14980
2 C:\Windows\System32\svchost.exe [1776] *
 C:\Windows\System32\svchost.exe -k WerSvcGroup
3 C:\Windows\System32\services.exe [960] *
4 C:\Windows\System32\wininit.exe [836] *
 wininit.exe

Services
1776 WerSvc

Dropped Files
1 C:\ProgramData\Microsoft\Windows\WER\Temp\7b2a790b-4899-41db-970e-6f1a7a894d0c
 Dropped by C:\Windows\SysWOW64\WerFault.exe [5436]
2 C:\ProgramData\Microsoft\Windows\WER\Temp\f027e96d-cd6a-4f15-87c9-20590d9e03c1
 Dropped by C:\Windows\SysWOW64\WerFault.exe [5436]
1 C:\ProgramData\Microsoft\Windows\WER\Temp\896bb261-a30a-4c1f-addf-8717f3193bf3
 Dropped by C:\Windows\System32\svchost.exe [1776]

Thumbprint (pfn)
cad8c0d1f3bc5593a394cc387351ce27cb673b19a7123644255fd700d6acd0e7",
 "senderSpid": {
 "!spid": "[2112:133650730837011942]"
 },
 "time": {
 "!uint64": "133651876661915864"
 },
 "timestamp": {
 "!uint64": "1720714066"
 },
 "type": "HmpaDetection",
 "version": 2
 },
 {
 "cmdline": "C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 14980 -ip 14980",
 "event_value": "C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 14980 -ip 14980",
 "irep": 5,
 "newSpid": {
 "!spid": "[5436:133651876655206231]"
 },
 "pwin32Path": "C:\Windows\System32\svchost.exe",
 "rep": 5,
 "sha256": {
 "!sha256": "9c39e90ebfdea833750e4f85efd068c9a51132b03e6495c4b32de7e8e8414e3b"
 },
 "spid": {
 "!spid": "[1776:133651876653203662]"
 },
 "stid": {
 "!stid": "[14408:133651876654535333]"
 },
 "time": {
 "!uint64": "133651876655197713"
 },
 "type": "ProcessCreate",
 "userSid": {
 "!sid": "S-1-5-18"
 },
 "versionInfo": {
 "CompanyName": "Microsoft Corporation",
 "FileDescription": "Windows Problem Reporting",
 "FileVersion": "10.0.19041.4474 (WinBuild.160101.0800)",
 "InternalName": "WerFault",
 "LegalCopyright": "&#169; Microsoft Corporation. All rights reserved.",
 "LegalTrademarks": "",
 "OriginalFilename": "WerFault.exe",
 "ProductName": "Microsoft&#174; Windows&#174; Operating System",
 "ProductVersion": "10.0.19041.4474"
 },
 "win32Path": "C:\Windows\SysWOW64\WerFault.exe"
 },
 {
 "contextSummary": null,
 "eventSummary": "werfault.exe is associated by SPID to the high-risk detection WIN-DET-CREDS-HMPA-CREDGUARDCLONE-LSASSDUMP-1.",
 "indicator": "Risk_Correlated",
 "insights": [
 "Correlated_By_SPID",
 "High_Risk_Correlated",
 "Microsoft_Signed"
 ],
 "process": "werfault.exe",
 "riskState": "HIGH",
 "spid": {
 "!spid": "[5436:133651876655206231]"
 },
 "type": "AttackProfile",
 "userSid": {
 "!sid": "S-1-5-18"
 }
 }
 ],
 "process_pua_score": 18,
 "process_file_size": 489968,
 "process_local_rep": 91,
 "sophos_pid": "5436:133651876655206231",
 "process_pid": 5436,
 "ioc_event_path": "C:\Windows\SysWOW64\WerFault.exe",
 "process_ml_score_band": "LIKELY_BENIGN",
 "process_ml_score": 6,
 "ioc_events_size": 14668,
 "ioc_event_username": "SYSTEM",
 "process_parent_sophos_pid": "1776:133651876653203662",
 "ioc_event_ttp_summary": "TA0006-T1003.001",
 "process_path": "C:\Windows\SysWOW64\WerFault.exe",
 "process_parent_name": "svchost.exe",
 "process_sha256": "9c39e90ebfdea833750e4f85efd068c9a51132b03e6495c4b32de7e8e8414e3b",
 "ioc_event_sid": "S-1-5-18",
 "ioc_event_event": "{\"time\":1720714066,\"mitre_ttps\":[{\"tactic\":\"TA0006\",\"technique\":\"T1003.001\",\"ttpDescriptionId\":\"T1003.001\",\"verbosity\":8}],\"detection_id\":\"CREDS-HMPA-CREDGUARDCLONE-LSASSDUMP-1\",\"sophos_tid\":\"14408:133651876654535333\",\"path\":\"C:\\Windows\\SysWOW64\\WerFault.exe\",\"sid\":\"S-1-5-18\",\"username\":\"SYSTEM\",\"threat_source\":\"Behavioral\",\"events\":\"[{\\"details\\":{\\"alertId\\":\\"a8116287-c39e-465e-bd14-14fd5e0cf646\\",\\"mitigation\\":{\\"reason\\":\\"CredGuardClone\\",\\"setting\\":\\"CredGuard\\",\\"version\\":0},\\"process\\":{\\"image\\":{\\"path\\":\\"C:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\\",\\"productName\\":\\"Windows Problem Reporting\\",\\"productVersion\\":\\"10\\",\\"sha256\\":{\\"!sha256\\":\\"9c39e90ebfdea833750e4f85efd068c9a51132b03e6495c4b32de7e8e8414e3b\\"},\\"signed\\":true},\\"pid\\":5436,\\"spid\\":{\\"!spid\\":\\"[5436:133651876655206231]\\"}},\\"silent\\":true,\\"thumbprints\\":[{\\"data\\":\\"cad8c0d1f3bc5593a394cc387351ce27cb673b19a7123644255fd700d6acd0e7\\",\\"type\\":\\"Primary\\"}]},\\"eventSummary\\":\\"Process werfault.exe triggered HMPA CredGuardClone mitigation.\\",\\"event_value\\":\\"CredGuardClone\\",\\"report\\":\\"Mitigation CredGuardClone\\r\\nPolicy CredGuard\\r\\nTimestamp 2024-07-11T16:07:46\\r\\n\\r\\nPlatform 10.0.19045/x64 v992 06_3c-\\r\\nPID 5436\\r\\nWoW x86\\r\\nEnabled 08FF2E3040000006\\r\\nSilent 0002000000000000\\r\\nApplication C:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\\r\\nCreated 2024-06-29T10:05:16\\r\\nModified 2024-06-29T10:05:16\\r\\nDescription Windows Problem Reporting 10\\r\\n\\r\\nCloning process (14980) via NtCreateProcessEx\\n\\r\\nStack Trace\\r\\n# Address Module Location\\r\\n-- -------- ------------------------ ----------------------------------------\\r\\n1 0045C062 WerFault.exe \\r\\n 50 PUSH EAX\\n 6804a94200 PUSH DWORD 0x42a904\\n 50 PUSH EAX\\n beb8a84200 MOV ESI, 0x42a8b8\\n 8945e0 MOV [EBP-0x20], EAX\\n 56 PUSH ESI\\n 6864a84200 PUSH DWORD 0x42a864\\n 6818010000 PUSH DWORD 0x118\\n ff7504 PUSH DWORD [EBP+0x4]\\n e817040000 CALL 0x45c49b\\n 83c41c ADD ESP, 0x1c\\n 837de000 CMP DWORD [EBP-0x20], 0x0\\n 7571 JNZ 0x45c0fe\\n 8b8df0feffff MOV ECX, [EBP-0x110]\\n 85c9 TEST ECX, ECX\\n 7467 JZ 0x45c0fe\\n\\r\\n2 0045C3BD WerFault.exe \\r\\n3 00433A42 WerFault.exe \\r\\n4 0046FECA WerFault.exe \\r\\n5 7604FCC9 kernel32.dll BaseThreadInitThunk +0x19\\r\\n6 772180CE ntdll.dll RtlGetAppContainerNamedObjectPath +0x11e\\r\\n7 7721809E ntdll.dll RtlGetAppContainerNamedObjectPath +0xee\\r\\n\\r\\nLoaded Modules (33)\\r\\n-----------------------------------------------------------------------------\\r\\n0\\r\\n...truncated...\\r\\n)\\r\\n75EF0000-76010000 C:\\\\Windows\\\\System32\\\\ucrtbase.dll (Microsoft Corporation), \\r\\n version: 10.0.19041.3636 (WinBuild.160101.0800)\\r\\n76030000-76120000 C:\\\\Windows\\\\SysWOW64\\\\kernel32.dll (Microsoft Corporation), \\r\\n version: 10.0.19041.4474 (WinBuild.160101.0800)\\r\\n768F0000-76B2A000 C:\\\\Windows\\\\SysWOW64\\\\KernelBase.dll (Microsoft Corporation), \\r\\n version: 10.0.19041.4522 (WinBuild.160101.0800)\\r\\n76D00000-76E9D000 C:\\\\Windows\\\\System32\\\\USER32.dll (Microsoft Corporation), \\r\\n version: 10.0.19041.4522 (WinBuild.160101.0800)\\r\\n76EA0000-76F1B000 C:\\\\Windows\\\\System32\\\\msvcp_win.dll (Microsoft Corporation), \\r\\n version: 10.0.19041.3636 (WinBuild.160101.0800)\\r\\n76F20000-771A0000 C:\\\\Windows\\\\System32\\\\combase.dll (Microsoft Corporation), \\r\\n version: 10.0.19041.4412 (WinBuild.160101.0800)\\r\\n771A0000-771AA000 C:\\\\Windows\\\\System32\\\\wow64cpu.dll (Microsoft Corporation), \\r\\n version: 10.0.19041.3636 (WinBuild.160101.0800)\\r\\n771B0000-77354000 C:\\\\Windows\\\\SysWOW64\\\\ntdll.dll (Microsoft Corporation), \\r\\n version: 10.0.19041.4522 (WinBuild.160101.0800)\\r\\n\\r\\nProcess Trace\\r\\n1 C:\\\\Windows\\\\SysWOW64\\\\WerFault.exe [5436] *\\r\\n C:\\\\Windows\\\\SysWOW64\\\\WerFault.exe -pss -s 504 -p 14980 -ip 14980\\r\\n2 C:\\\\Windows\\\\System32\\\\svchost.exe [1776] *\\r\\n C:\\\\Windows\\\\System32\\\\svchost.exe -k WerSvcGroup\\r\\n3 C:\\\\Windows\\\\System32\\\\services.exe [960] *\\r\\n4 C:\\\\Windows\\\\System32\\\\wininit.exe [836] *\\r\\n wininit.exe\\r\\n\\r\\nServices\\r\\n1776 WerSvc\\r\\n\\r\\nDropped Files\\r\\n1 C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\WER\\\\Temp\\\\7b2a790b-4899-41db-970e-6f1a7a894d0c\\r\\n Dropped by C:\\\\Windows\\\\SysWOW64\\\\WerFault.exe [5436]\\r\\n2 C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\WER\\\\Temp\\\\f027e96d-cd6a-4f15-87c9-20590d9e03c1\\r\\n Dropped by C:\\\\Windows\\\\SysWOW64\\\\WerFault.exe [5436]\\r\\n1 C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\WER\\\\Temp\\\\896bb261-a30a-4c1f-addf-8717f3193bf3\\r\\n Dropped by C:\\\\Windows\\\\System32\\\\svchost.exe [1776]\\r\\n\\r\\nThumbprint (pfn)\\r\\ncad8c0d1f3bc5593a394cc387351ce27cb673b19a7123644255fd700d6acd0e7\\",\\"senderSpid\\":{\\"!spid\\":\\"[2112:133650730837011942]\\"},\\"time\\":{\\"!uint64\\":\\"133651876661915864\\"},\\"timestamp\\":{\\"!uint64\\":\\"1720714066\\"},\\"type\\":\\"HmpaDetection\\",\\"version\\":2},{\\"cmdline\\":\\"C:\\\\Windows\\\\SysWOW64\\\\WerFault.exe -pss -s 504 -p 14980 -ip 14980\\",\\"event_value\\":\\"C:\\\\Windows\\\\SysWOW64\\\\WerFault.exe -pss -s 504 -p 14980 -ip 14980\\",\\"irep\\":5,\\"newSpid\\":{\\"!spid\\":\\"[5436:133651876655206231]\\"},\\"pwin32Path\\":\\"C:\\\\Windows\\\\System32\\\\svchost.exe\\",\\"rep\\":5,\\"sha256\\":{\\"!sha256\\":\\"9c39e90ebfdea833750e4f85efd068c9a51132b03e6495c4b32de7e8e8414e3b\\"},\\"spid\\":{\\"!spid\\":\\"[1776:133651876653203662]\\"},\\"stid\\":{\\"!stid\\":\\"[14408:133651876654535333]\\"},\\"time\\":{\\"!uint64\\":\\"133651876655197713\\"},\\"type\\":\\"ProcessCreate\\",\\"userSid\\":{\\"!sid\\":\\"S-1-5-18\\"},\\"versionInfo\\":{\\"CompanyName\\":\\"Microsoft Corporation\\",\\"FileDescription\\":\\"Windows Problem Reporting\\",\\"FileVersion\\":\\"10.0.19041.4474 (WinBuild.160101.0800)\\",\\"InternalName\\":\\"WerFault\\",\\"LegalCopyright\\":\\"\\u00a9 Microsoft Corporation. All rights reserved.\\",\\"LegalTrademarks\\":\\"\\",\\"OriginalFilename\\":\\"WerFault.exe\\",\\"ProductName\\":\\"Microsoft\\u00ae Windows\\u00ae Operating System\\",\\"ProductVersion\\":\\"10.0.19041.4474\\"},\\"win32Path\\":\\"C:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\\"},{\\"contextSummary\\":null,\\"eventSummary\\":\\"werfault.exe is associated by SPID to the high-risk detection WIN-DET-CREDS-HMPA-CREDGUARDCLONE-LSASSDUMP-1.\\",\\"indicator\\":\\"Risk_Correlated\\",\\"insights\\":[\\"Correlated_By_SPID\\",\\"High_Risk_Correlated\\",\\"Microsoft_Signed\\"],\\"process\\":\\"werfault.exe\\",\\"riskState\\":\\"HIGH\\",\\"spid\\":{\\"!spid\\":\\"[5436:133651876655206231]\\"},\\"type\\":\\"AttackProfile\\",\\"userSid\\":{\\"!sid\\":\\"S-1-5-18\\"}}]\"}",
 "ioc_event_sophos_tid": "14408:133651876654535333",
 "process_global_rep": -1,
 "counter": 91,
 "epoch": 1720426655,
 "folded": 0,
 "host_identifier": "4C4C4544-004B-5010-804C-C8C04F393932",
 "query_name": "sophos_runtime_iocs_windows",
 "numerics": false,
 "tag": "stream",
 "unix_time": 1720714066000
}