From 207ef4be22182f1f33a3bae8394d925930fca2bc Mon Sep 17 00:00:00 2001 From: rabbitstack Date: Thu, 2 Jul 2026 18:48:18 +0200 Subject: [PATCH] feat(rules): Add Suspicious LSASS process access rule Identifies processes requesting high-privilege access to the Local Security Authority Subsystem Service (LSASS) process using access rights commonly required to read process memory, duplicate handles, or create process clone for dumping the credentials material. --- ...access_suspicious_lsass_process_access.yml | 47 +++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 rules/credential_access_suspicious_lsass_process_access.yml diff --git a/rules/credential_access_suspicious_lsass_process_access.yml b/rules/credential_access_suspicious_lsass_process_access.yml new file mode 100644 index 000000000..a99f4903b --- /dev/null +++ b/rules/credential_access_suspicious_lsass_process_access.yml @@ -0,0 +1,47 @@ +name: Suspicious LSASS process access +id: 40e59763-62c6-4ae7-8c8a-5d4167d3b4e9 +version: 1.0.0 +description: | + Identifies processes requesting high-privilege access to the + Local Security Authority Subsystem Service (LSASS) process + using access rights commonly required to read process memory, + duplicate handles, or create process clone for dumping the + credentials material. +labels: + tactic.id: TA0006 + tactic.name: Credential Access + tactic.ref: https://attack.mitre.org/tactics/TA0006/ + technique.id: T1003 + technique.name: OS Credential Dumping + technique.ref: https://attack.mitre.org/techniques/T1003/ + subtechnique.id: T1003.001 + subtechnique.name: LSASS Memory + subtechnique.ref: https://attack.mitre.org/techniques/T1003/001/ +references: + - https://redcanary.com/threat-detection-report/techniques/lsass-memory/ + - https://www.deepinstinct.com/blog/lsass-memory-dumps-are-stealthier-than-ever-before + +condition: > + open_process and + evt.arg[exe] imatches '?:\\Windows\\System32\\lsass.exe' and + ps.access.mask.names in ('ALL_ACCESS', 'CREATE_PROCESS', 'VM_READ', 'DUP_HANDLE') and + ps.exe not imatches + ( + '?:\\Program Files (x86)\\*', + '?:\\Program Files\\*', + '?:\\Windows\\System32\\svchost.exe', + '?:\\Windows\\System32\\csrss.exe', + '?:\\Windows\\System32\\lsm.exe', + '?:\\Windows\\system32\\MRT.exe', + '?:\\Windows\\System32\\wininit.exe', + '?:\\Windows\\System32\\services.exe', + '?:\\Windows\\Sysmon.exe', + '?:\\Windows\\Sysmon64.exe', + '?:\\Windows\\System32\\msiexec.exe', + '?:\\Windows\\system32\\wbem\\wmiprvse.exe', + '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe' + ) + +severity: high + +min-engine-version: 3.0.0