Rules Contributing to Suspicious LSASS Process Access Alert
The following rules are used to identify suspicious process access to or from the Local Security Authority Subsystem Service (LSASS). Any one or more of these will trigger the Suspicious LSASS Process Access Alert. Details for each rule can be viewed by clicking the More Details link in the description.
Title |
Description |
||||||||
---|---|---|---|---|---|---|---|---|---|
LSASS Memory Access by Tool With Dump Keyword In Name |
Detects LSASS process access requests from a source process with the "dump" keyword in its image name. More details
Rule IDQuery{'selection': {'TargetImage|endswith': '\\lsass.exe', 'SourceImage|contains': 'dump'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,9bd012ee-0dff-44d7-84a0-aa698cfd87a3 Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresReferencesSeverity75 Suppression Logic Based On
Additional Information
|
||||||||
Credential Dumping Activity By Python Based Tool |
Detects LSASS process access for potential credential dumping by a Python-like tool such as LaZagne or Pypykatz. More details
Rule IDQuery{'selection': {'TargetImage|endswith': '\\lsass.exe', 'CallTrace|contains': '_ctypes.pyd'}, 'filter_av': {'SourceImage': ['?:\\Windows\\TEMP\\rapid7\\ir_agent.exe']}, 'condition': 'selection and not filter_av'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,f8be3e82-46a3-4e4e-ada5-8e538ae8b9c9 Author: Bhabesh Raj, Jonhnathan Ribeiro Tactics, Techniques, and ProceduresReferencesSeverity75 Suppression Logic Based On
Additional Information
|
||||||||
LSASS Memory Access by Process in Temp Folder |
Identifies suspicious access to LSASS from a source process in Temp folder. More details
Rule IDQuery{'selection': {'TargetImage|endswith': '\\lsass.exe', 'SourceImage': ['*\\Local\\Temp\\*', '*\\LocalLow\\Temp\\*', '*\\Roaming\\Temp\\*']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity75 Suppression Logic Based On
Additional Information
|
||||||||
Suspicious LSASS Access via MalSecLogon |
Identifies suspicious access to LSASS handle from a call trace pointing to seclogon.dll and with a suspicious access rights value. This may indicate an attempt to leak an LSASS handle via abusing the Secondary Logon service in preparation for credential access. More details
Rule IDQuery{'selection1': {'TargetImage|endswith': '\\lsass.exe'}, 'selection2': {'CallTrace|contains': 'seclogon.dll'}, 'selection3': {'SourceImage|endswith': 'svchost.exe'}, 'selection4': {'GrantedAccess': '0x14c0'}, 'condition': 'selection1 and selection2 and selection3 and selection4'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity75 Suppression Logic Based On
Additional Information
|
||||||||
Potential Credential Access via DuplicateHandle in LSASS |
Identifies suspicious access to an LSASS handle via DuplicateHandle from an unknown call trace module. This may indicate an attempt to bypass the NtOpenProcess API to evade detection and dump LSASS memory for credential access. More details
Rule IDQuery{'selection1': {'SourceImage|endswith': '\\lsass.exe'}, 'selection2': {'GrantedAccess': '0x40'}, 'selection3': {'CallTrace|contains': 'UNKNOWN'}, 'condition': 'selection1 and selection2 and selection3'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
Potential Credential Access via LSASS Memory Dump |
Identifies suspicious access to LSASS handle from a call trace pointing to DBGHelp.dll or DBGCore.dll, which both export the MiniDumpWriteDump method that can be used to dump LSASS memory content in preparation for credential access. More details
Rule IDQuery{'selection1': {'TargetImage|endswith': '\\lsass.exe'}, 'selection2': {'CallTrace|contains': ['dbghelp.dll', 'dbgcore.dll']}, 'selection3': {'SourceImage': ['?:\\Windows\\System32\\WerFault.exe', '?:\\Windows\\System32\\WerFaultSecure.exe', '?:\\Windows\\System32\\tasklist.exe']}, 'condition': 'selection1 and selection2 and (not selection3)'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity75 Suppression Logic Based On
Additional Information
|
||||||||
Potentially Suspicious AccessMask Requested From LSASS |
Detects process handle on LSASS process with certain access mask More details
Rule IDQuery{'selection_1': {'EventID': 4656, 'ObjectName|endswith': '\\lsass.exe', 'AccessMask|contains': ['0x40', '0x1400', '0x100000', '0x1410', '0x1010', '0x1438', '0x143a', '0x1418', '0x1f0fff', '0x1f1fff', '0x1f2fff', '0x1f3fff']}, 'selection_2': {'EventID': 4663, 'ObjectName|endswith': '\\lsass.exe', 'AccessList|contains': ['4484', '4416']}, 'filter_main_specific': {'ProcessName|endswith': ['\\csrss.exe', '\\GamingServices.exe', '\\lsm.exe', '\\MicrosoftEdgeUpdate.exe', '\\minionhost.exe', '\\MRT.exe', '\\MsMpEng.exe', '\\perfmon.exe', '\\procexp.exe', '\\procexp64.exe', '\\svchost.exe', '\\taskmgr.exe', '\\thor.exe', '\\thor64.exe', '\\vmtoolsd.exe', '\\VsTskMgr.exe', '\\wininit.exe', '\\wmiprvse.exe', '\\WmiPrvSE.exe', 'RtkAudUService64'], 'ProcessName|contains': [':\\Program Files (x86)\\', ':\\Program Files\\', ':\\ProgramData\\Microsoft\\Windows Defender\\Platform\\', ':\\Windows\\SysNative\\', ':\\Windows\\System32\\', ':\\Windows\\SysWow64\\', ':\\Windows\\Temp\\asgard2-agent\\']}, 'filter_main_generic': {'ProcessName|contains': ':\\Program Files'}, 'filter_main_exact': {'ProcessName|endswith': [':\\Windows\\System32\\taskhostw.exe', ':\\Windows\\System32\\msiexec.exe', ':\\Windows\\CCM\\CcmExec.exe', '\\Windows\\explorer.exe', '\\jre\\bin\\java.exe', ':\\Windows\\LTSvc\\LTSVC.exe']}, 'filter_main_sysmon': {'ProcessName|endswith': ':\\Windows\\Sysmon64.exe', 'AccessList|contains': '%%4484'}, 'filter_main_aurora': {'ProcessName|contains': ':\\Windows\\Temp\\asgard2-agent-sc\\aurora\\', 'ProcessName|endswith': '\\aurora-agent-64.exe', 'AccessList|contains': '%%4484'}, 'filter_main_scenarioengine': {'ProcessName|endswith': '\\x64\\SCENARIOENGINE.EXE', 'AccessList|contains': '%%4484'}, 'filter_main_avira1': {'ProcessName|contains|all': [':\\Users\\', '\\AppData\\Local\\Temp\\is-'], 'ProcessName|endswith': '\\avira_system_speedup.tmp', 'AccessList|contains': '%%4484'}, 'filter_main_avira2': {'ProcessName|contains': ':\\Windows\\Temp\\', 'ProcessName|endswith': '\\avira_speedup_setup_update.tmp', 'AccessList|contains': '%%4484'}, 'filter_main_snmp': {'ProcessName|endswith': ':\\Windows\\System32\\snmp.exe', 'AccessList|contains': '%%4484'}, 'filter_main_googleupdate': {'ProcessName|contains': ':\\Windows\\SystemTemp\\', 'ProcessName|endswith': '\\GoogleUpdate.exe', 'AccessList|contains': '%%4484'}, 'filter_optional_procmon': {'ProcessName|endswith': ['\\procmon64.exe', '\\procmon.exe'], 'AccessList|contains': '%%4484'}, 'condition': '1 of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,4a1b6da0-d94f-4fc3-98fc-2d9cb9e5ee76 Author: Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update) Tactics, Techniques, and ProceduresReferencesSeverity50 Suppression Logic Based On
Additional Information
|