Suspicious LSASS Access via MalSecLogon

  1[metadata]
  2creation_date = "2022/06/29"
  3integration = ["windows"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6min_stack_version = "8.14.0"
  7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Identifies suspicious access to LSASS handle from a call trace pointing to seclogon.dll and with a suspicious access
 13rights value. This may indicate an attempt to leak an LSASS handle via abusing the Secondary Logon service in
 14preparation for credential access.
 15"""
 16from = "now-9m"
 17index = ["winlogbeat-*", "logs-windows.sysmon_operational-*"]
 18language = "eql"
 19license = "Elastic License v2"
 20name = "Suspicious LSASS Access via MalSecLogon"
 21references = ["https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html"]
 22risk_score = 73
 23rule_id = "7ba58110-ae13-439b-8192-357b0fcfa9d7"
 24setup = """## Setup
 25
 26If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
 27events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
 28Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
 29`event.ingested` to @timestamp.
 30For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
 31"""
 32severity = "high"
 33tags = [
 34    "Domain: Endpoint",
 35    "OS: Windows",
 36    "Use Case: Threat Detection",
 37    "Tactic: Credential Access",
 38    "Data Source: Sysmon",
 39    "Resources: Investigation Guide",
 40]
 41timestamp_override = "event.ingested"
 42type = "eql"
 43
 44query = '''
 45process where host.os.type == "windows" and event.code == "10" and
 46  winlog.event_data.TargetImage : "?:\\WINDOWS\\system32\\lsass.exe" and
 47
 48   /* seclogon service accessing lsass */
 49  winlog.event_data.CallTrace : "*seclogon.dll*" and process.name : "svchost.exe" and
 50
 51   /* PROCESS_CREATE_PROCESS & PROCESS_DUP_HANDLE & PROCESS_QUERY_INFORMATION */
 52  winlog.event_data.GrantedAccess == "0x14c0"
 53'''
 54note = """## Triage and analysis
 55
 56> **Disclaimer**:
 57> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 58
 59### Investigating Suspicious LSASS Access via MalSecLogon
 60
 61The Local Security Authority Subsystem Service (LSASS) is crucial for managing security policies and user authentication in Windows environments. Adversaries may exploit the Secondary Logon service to gain unauthorized access to LSASS, aiming to extract sensitive credentials. The detection rule identifies this threat by monitoring for unusual access patterns involving LSASS, specifically when the seclogon.dll is involved, indicating potential credential dumping activities.
 62
 63### Possible investigation steps
 64
 65- Review the event logs for the specific event code "10" to gather more details about the process that triggered the alert, focusing on the time of occurrence and any associated user accounts.
 66- Examine the process details for "svchost.exe" to determine if it is running under an expected service or if there are any anomalies in its execution context, such as unusual parent processes or command-line arguments.
 67- Investigate the call trace involving "seclogon.dll" to understand the sequence of events leading to the LSASS access, and check for any other suspicious modules or DLLs loaded in the process.
 68- Analyze the granted access value "0x14c0" to confirm if it aligns with typical access patterns for legitimate processes interacting with LSASS, and identify any deviations that could indicate malicious intent.
 69- Correlate the alert with other security events or logs from the same host or user account to identify any patterns or additional indicators of compromise, such as failed login attempts or other suspicious process activities.
 70- Check for any recent changes or updates to the system that might explain the unusual behavior, such as software installations, patches, or configuration changes that could affect the Secondary Logon service or LSASS.
 71
 72### False positive analysis
 73
 74- Legitimate administrative tools or scripts that require access to LSASS for system management tasks may trigger this rule. Users can create exceptions for known tools by excluding specific process names or paths that are verified as safe.
 75- Security software or endpoint protection solutions that perform regular scans and require access to LSASS might be flagged. Coordinate with security vendors to identify these processes and exclude them from the rule.
 76- System updates or patches that involve the Secondary Logon service could cause temporary access patterns that mimic suspicious behavior. Monitor update schedules and temporarily adjust the rule to prevent false alerts during these periods.
 77- Custom enterprise applications that utilize the Secondary Logon service for legitimate purposes may inadvertently match the rule criteria. Work with application developers to understand these access patterns and whitelist the associated processes.
 78
 79### Response and remediation
 80
 81- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration.
 82- Terminate any suspicious processes associated with svchost.exe that are accessing LSASS with the identified suspicious access rights.
 83- Conduct a thorough review of user accounts and privileges on the affected system to identify any unauthorized changes or access.
 84- Reset passwords for all accounts that may have been compromised, focusing on high-privilege accounts first.
 85- Collect and preserve relevant logs and forensic data from the affected system for further analysis and potential legal action.
 86- Escalate the incident to the security operations center (SOC) or incident response team for a comprehensive investigation and to determine the full scope of the breach.
 87- Implement additional monitoring and alerting for similar suspicious activities involving LSASS and seclogon.dll to enhance detection capabilities."""
 88
 89
 90[[rule.threat]]
 91framework = "MITRE ATT&CK"
 92[[rule.threat.technique]]
 93id = "T1003"
 94name = "OS Credential Dumping"
 95reference = "https://attack.mitre.org/techniques/T1003/"
 96[[rule.threat.technique.subtechnique]]
 97id = "T1003.001"
 98name = "LSASS Memory"
 99reference = "https://attack.mitre.org/techniques/T1003/001/"
100
101
102
103[rule.threat.tactic]
104id = "TA0006"
105name = "Credential Access"
106reference = "https://attack.mitre.org/tactics/TA0006/"