diff --git a/rules/credential_access_suspicious_lsass_process_access.yml b/rules/credential_access_suspicious_lsass_process_access.yml new file mode 100644 index 000000000..a99f4903b --- /dev/null +++ b/rules/credential_access_suspicious_lsass_process_access.yml @@ -0,0 +1,47 @@ +name: Suspicious LSASS process access +id: 40e59763-62c6-4ae7-8c8a-5d4167d3b4e9 +version: 1.0.0 +description: | + Identifies processes requesting high-privilege access to the + Local Security Authority Subsystem Service (LSASS) process + using access rights commonly required to read process memory, + duplicate handles, or create process clone for dumping the + credentials material. +labels: + tactic.id: TA0006 + tactic.name: Credential Access + tactic.ref: https://attack.mitre.org/tactics/TA0006/ + technique.id: T1003 + technique.name: OS Credential Dumping + technique.ref: https://attack.mitre.org/techniques/T1003/ + subtechnique.id: T1003.001 + subtechnique.name: LSASS Memory + subtechnique.ref: https://attack.mitre.org/techniques/T1003/001/ +references: + - https://redcanary.com/threat-detection-report/techniques/lsass-memory/ + - https://www.deepinstinct.com/blog/lsass-memory-dumps-are-stealthier-than-ever-before + +condition: > + open_process and + evt.arg[exe] imatches '?:\\Windows\\System32\\lsass.exe' and + ps.access.mask.names in ('ALL_ACCESS', 'CREATE_PROCESS', 'VM_READ', 'DUP_HANDLE') and + ps.exe not imatches + ( + '?:\\Program Files (x86)\\*', + '?:\\Program Files\\*', + '?:\\Windows\\System32\\svchost.exe', + '?:\\Windows\\System32\\csrss.exe', + '?:\\Windows\\System32\\lsm.exe', + '?:\\Windows\\system32\\MRT.exe', + '?:\\Windows\\System32\\wininit.exe', + '?:\\Windows\\System32\\services.exe', + '?:\\Windows\\Sysmon.exe', + '?:\\Windows\\Sysmon64.exe', + '?:\\Windows\\System32\\msiexec.exe', + '?:\\Windows\\system32\\wbem\\wmiprvse.exe', + '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe' + ) + +severity: high + +min-engine-version: 3.0.0