Rules Contributing to Suspicious LSASS Process Access Alert

The following rules are used to identify suspicious process access to or from the Local Security Authority Subsystem Service (LSASS). Any one or more of these will trigger the Suspicious LSASS Process Access Alert. Details for each rule can be viewed by clicking the More Details link in the description.

Title

Description

LSASS Memory Access by Tool With Dump Keyword In Name

Detects LSASS process access requests from a source process with the "dump" keyword in its image name.

Rule ID

windows_process_access_1

Query

{'selection': {'TargetImage|endswith': '\\lsass.exe', 'SourceImage|contains': 'dump'}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Monitoring process access

Rule Source

SigmaHQ,9bd012ee-0dff-44d7-84a0-aa698cfd87a3

Author: Florian Roth (Nextron Systems)

Tactics, Techniques, and Procedures

CREDENTIAL_ACCESS, T1003.001

References

N/A

Severity

75

Suppression Logic Based On

  • hostip
  • event_data.SourceImage
  • event_data.TargetImage
  • stellar.rule_id

Additional Information

Maturity Creation Date Risk Level False Positives
test 2022/02/10 high

  • Rare programs that contain the word dump in their name and access lsass

Credential Dumping Activity By Python Based Tool

Detects LSASS process access for potential credential dumping by a Python-like tool such as LaZagne or Pypykatz.

Rule ID

windows_process_access_2

Query

{'selection': {'TargetImage|endswith': '\\lsass.exe', 'CallTrace|contains': '_ctypes.pyd'}, 'filter_av': {'SourceImage': ['?:\\Windows\\TEMP\\rapid7\\ir_agent.exe']}, 'condition': 'selection and not filter_av'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Monitoring process access

Rule Source

SigmaHQ,f8be3e82-46a3-4e4e-ada5-8e538ae8b9c9

Author: Bhabesh Raj, Jonhnathan Ribeiro

Tactics, Techniques, and Procedures

CREDENTIAL_ACCESS, T1003.001

References

N/A

Severity

75

Suppression Logic Based On

  • hostip
  • event_data.SourceImage
  • event_data.TargetImage
  • stellar.rule_id

Additional Information

Maturity Creation Date Risk Level False Positives
stable 2023/11/27 high

  • Unknown

LSASS Memory Access by Process in Temp Folder

Identifies suspicious access to LSASS from a source process in Temp folder.

Rule ID

windows_process_access_3

Query

{'selection': {'TargetImage|endswith': '\\lsass.exe', 'SourceImage': ['*\\Local\\Temp\\*', '*\\LocalLow\\Temp\\*', '*\\Roaming\\Temp\\*']}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Monitoring process access

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

CREDENTIAL_ACCESS, T1003.001

References

N/A

Severity

75

Suppression Logic Based On

  • hostip
  • event_data.SourceImage
  • event_data.TargetImage
  • stellar.rule_id

Additional Information

Maturity Creation Date Risk Level False Positives
test 2024/01/26 high

  • Unknown

Suspicious LSASS Access via MalSecLogon

Identifies suspicious access to LSASS handle from a call trace pointing to seclogon.dll and with a suspicious access rights value. This may indicate an attempt to leak an LSASS handle via abusing the Secondary Logon service in preparation for credential access.

Rule ID

windows_process_access_4

Query

{'selection1': {'TargetImage|endswith': '\\lsass.exe'}, 'selection2': {'CallTrace|contains': 'seclogon.dll'}, 'selection3': {'SourceImage|endswith': 'svchost.exe'}, 'selection4': {'GrantedAccess': '0x14c0'}, 'condition': 'selection1 and selection2 and selection3 and selection4'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Monitoring process access

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

CREDENTIAL_ACCESS, T1003.001

References

N/A

Severity

75

Suppression Logic Based On

  • hostip
  • event_data.SourceImage
  • event_data.TargetImage
  • stellar.rule_id

Additional Information

Maturity Creation Date Risk Level False Positives
production 2022/06/29 high N/A

Potential Credential Access via DuplicateHandle in LSASS

Identifies suspicious access to an LSASS handle via DuplicateHandle from an unknown call trace module. This may indicate an attempt to bypass the NtOpenProcess API to evade detection and dump LSASS memory for credential access.

Rule ID

windows_process_access_5

Query

{'selection1': {'SourceImage|endswith': '\\lsass.exe'}, 'selection2': {'GrantedAccess': '0x40'}, 'selection3': {'CallTrace|contains': 'UNKNOWN'}, 'condition': 'selection1 and selection2 and selection3'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Monitoring process access

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

CREDENTIAL_ACCESS, T1003.001

References

N/A

Severity

50

Suppression Logic Based On

  • hostip
  • event_data.SourceImage
  • event_data.TargetImage
  • stellar.rule_id

Additional Information

Maturity Creation Date Risk Level False Positives
production 2021/09/27 medium N/A

Potential Credential Access via LSASS Memory Dump

Identifies suspicious access to LSASS handle from a call trace pointing to DBGHelp.dll or DBGCore.dll, which both export the MiniDumpWriteDump method that can be used to dump LSASS memory content in preparation for credential access.

Rule ID

windows_process_access_6

Query

{'selection1': {'TargetImage|endswith': '\\lsass.exe'}, 'selection2': {'CallTrace|contains': ['dbghelp.dll', 'dbgcore.dll']}, 'selection3': {'SourceImage': ['?:\\Windows\\System32\\WerFault.exe', '?:\\Windows\\System32\\WerFaultSecure.exe', '?:\\Windows\\System32\\tasklist.exe']}, 'condition': 'selection1 and selection2 and (not selection3)'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Monitoring process access

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

CREDENTIAL_ACCESS, T1003.001

References

N/A

Severity

75

Suppression Logic Based On

  • hostip
  • event_data.SourceImage
  • event_data.TargetImage
  • stellar.rule_id

Additional Information

Maturity Creation Date Risk Level False Positives
production 2021/10/07 high N/A

Potentially Suspicious AccessMask Requested From LSASS

Detects process handle on LSASS process with certain access mask

Rule ID

windows_security_169

Query

{'selection_lsass': {'ObjectName|endswith': '\\lsass.exe'}, 'selection_4656_1': {'EventID': 4656}, 'selection_4656_3': {'AccessMask': ['0x1010', '0x1400', '0x1410', '0x1010', '0x1438', '0x143a', '0x1418', '0x100000', '0x10147a', '0x120089', '0x1f0fff', '0x1f1fff', '0x1f2fff', '0x1f3fff', '0x1fffff']}, 'selection_4663_1': {'EventID': 4663}, 'selection_4663_3': {'AccessList|contains': ['4484', '4416']}, 'filter_main_specific': {'ProcessName|endswith': ['\\Windows\\explorer.exe', '8wekyb3d8bbwe\\GamingServices.exe', '\\MicrosoftEdgeUpdate.exe', '\\VMware\\VMware Tools\\vmtoolsd.exe', '\\VsTskMgr.exe', '\\Windows\\RtkBtManServ.exe', '\\jre\\bin\\java.exe', '\\bin\\oracle.exe', '\\bin\\sqlplus.exe']}, 'filter_main_generic': {'ProcessName|contains': [':\\PROGRA~', ':\\Program Files (x86)\\', ':\\Program Files\\', ':\\ProgramData\\', ':\\Windows\\SysNative\\', ':\\Windows\\System32\\', ':\\Windows\\SysWOW64\\', ':\\Windows\\Temp\\', ':\\Windows\\SystemTemp\\', ':\\Windows\\CCM\\', ':\\Windows\\LTSvc']}, 'filter_main_scenarioengine': {'ProcessName|endswith': '\\x64\\SCENARIOENGINE.EXE', 'AccessList|contains': '%%4484'}, 'filter_main_avira1': {'ProcessName|contains|all': [':\\Users\\', '\\AppData\\Local\\Temp\\is-'], 'ProcessName|endswith': '\\avira_system_speedup.tmp', 'AccessList|contains': '%%4484'}, 'filter_optional_procmon': {'ProcessName|endswith': ['\\procmon64.exe', '\\procmon.exe', '\\procexp.exe', '\\procexp64.exe'], 'AccessList|contains': '%%4484'}, 'condition': 'selection_lsass and ((all of selection_4656_*) or (all of selection_4663_*)) and (not 1 of filter_main_*) and (not 1 of filter_optional_*)'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Collecting Windows security events

Rule Source

SigmaHQ,4a1b6da0-d94f-4fc3-98fc-2d9cb9e5ee76

Author: Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update)

Tactics, Techniques, and Procedures

CREDENTIAL_ACCESS, T1003.001

References

N/A

Severity

50

Suppression Logic Based On

  • hostip
  • event_data.ObjectName
  • stellar.rule_id

Additional Information

Maturity Creation Date Risk Level False Positives
experimental 2019/11/01 medium

  • Legitimate software accessing LSASS process for legitimate reason; update the whitelist with it