Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
47 changes: 47 additions & 0 deletions rules/credential_access_suspicious_lsass_process_access.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
name: Suspicious LSASS process access
id: 40e59763-62c6-4ae7-8c8a-5d4167d3b4e9
version: 1.0.0
description: |
Identifies processes requesting high-privilege access to the
Local Security Authority Subsystem Service (LSASS) process
using access rights commonly required to read process memory,
duplicate handles, or create process clone for dumping the
credentials material.
labels:
tactic.id: TA0006
tactic.name: Credential Access
tactic.ref: https://attack.mitre.org/tactics/TA0006/
technique.id: T1003
technique.name: OS Credential Dumping
technique.ref: https://attack.mitre.org/techniques/T1003/
subtechnique.id: T1003.001
subtechnique.name: LSASS Memory
subtechnique.ref: https://attack.mitre.org/techniques/T1003/001/
references:
- https://redcanary.com/threat-detection-report/techniques/lsass-memory/
- https://www.deepinstinct.com/blog/lsass-memory-dumps-are-stealthier-than-ever-before

condition: >
open_process and
evt.arg[exe] imatches '?:\\Windows\\System32\\lsass.exe' and
ps.access.mask.names in ('ALL_ACCESS', 'CREATE_PROCESS', 'VM_READ', 'DUP_HANDLE') and
ps.exe not imatches
(
'?:\\Program Files (x86)\\*',
'?:\\Program Files\\*',
'?:\\Windows\\System32\\svchost.exe',
'?:\\Windows\\System32\\csrss.exe',
'?:\\Windows\\System32\\lsm.exe',
'?:\\Windows\\system32\\MRT.exe',
'?:\\Windows\\System32\\wininit.exe',
'?:\\Windows\\System32\\services.exe',
'?:\\Windows\\Sysmon.exe',
'?:\\Windows\\Sysmon64.exe',
'?:\\Windows\\System32\\msiexec.exe',
'?:\\Windows\\system32\\wbem\\wmiprvse.exe',
'?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe'
)

severity: high

min-engine-version: 3.0.0
Loading