Suspicious LSASS Access via MalSecLogon

  1[metadata]
  2creation_date = "2022/06/29"
  3integration = ["windows"]
  4maturity = "production"
  5updated_date = "2026/04/24"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies suspicious access to LSASS handle from a call trace pointing to seclogon.dll and with a suspicious access
 11rights value. This may indicate an attempt to leak an LSASS handle via abusing the Secondary Logon service in
 12preparation for credential access.
 13"""
 14from = "now-9m"
 15index = ["winlogbeat-*", "logs-windows.sysmon_operational-*"]
 16language = "eql"
 17license = "Elastic License v2"
 18name = "Suspicious LSASS Access via MalSecLogon"
 19references = ["https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html"]
 20risk_score = 73
 21rule_id = "7ba58110-ae13-439b-8192-357b0fcfa9d7"
 22severity = "high"
 23tags = [
 24    "Domain: Endpoint",
 25    "OS: Windows",
 26    "Use Case: Threat Detection",
 27    "Tactic: Credential Access",
 28    "Data Source: Sysmon",
 29    "Resources: Investigation Guide",
 30]
 31timestamp_override = "event.ingested"
 32type = "eql"
 33
 34query = '''
 35process where host.os.type == "windows" and event.code == "10" and
 36  winlog.event_data.TargetImage : "?:\\WINDOWS\\system32\\lsass.exe" and
 37
 38   /* seclogon service accessing lsass */
 39  winlog.event_data.CallTrace : "*seclogon.dll*" and process.name : "svchost.exe" and
 40
 41   /* PROCESS_CREATE_PROCESS & PROCESS_DUP_HANDLE & PROCESS_QUERY_INFORMATION & PROCESS_QUERY_LIMITED_INFORMATION */
 42  winlog.event_data.GrantedAccess == "0x14c0"
 43'''
 44
 45note = """## Triage and analysis
 46
 47### Investigating Suspicious LSASS Access via MalSecLogon
 48
 49#### Possible investigation steps
 50
 51- Does the alert show the MalSecLogon handle-leak pattern rather than generic LSASS access?
 52  - Why: the alert-local target, call trace, and access mask distinguish seclogon-mediated LSASS handle leakage from ordinary LSASS access; they do not prove a dump was written.
 53  - Focus: `winlog.event_data.TargetImage`, `winlog.event_data.CallTrace`, `winlog.event_data.GrantedAccess`, `winlog.event_data.SourceImage`, `winlog.event_data.SourceProcessGUID`, `@timestamp`, and `host.id`.
 54  - Implication: escalate when the tuple is LSASS target + "seclogon.dll" call trace + "0x14c0" access from the seclogon-hosting "svchost.exe"; lower suspicion only when that exact tuple and service context match a recognized security product or authorized test on the same host.
 55
 56- Which seclogon source process and surrounding initiator candidates can you recover?
 57  - Focus: use `winlog.event_data.SourceProcessGUID` and `winlog.event_data.SourceImage` to recover the seclogon-hosting process, then use `host.id` and `process.entity_id` to review surrounding process starts with `process.executable` and `process.command_line`. $investigate_2
 58  - Hint: `winlog.event_data.SourceProcessGUID` identifies the service host that touched LSASS, not automatically the original RPC caller; if endpoint process start details are sparse, keep the conclusion at service-host level instead of assigning a caller.
 59  - Implication: escalate when the surrounding window shows MalSeclogon-like tooling, shells, script hosts, dump utilities, or newly started binaries that explain why seclogon touched LSASS; unresolved initiator recovery does not clear the alert.
 60
 61- Does the recovered lineage and session context fit a recognized Secondary Logon workflow?
 62  - Focus: process context for the recovered service host or initiator candidates: `process.command_line`, `process.parent.executable`, `process.parent.command_line`, `process.Ext.ancestry`, and `user.id`; if parent or ancestry fields are absent, stay scoped to `host.id` plus `process.entity_id` and the tight alert window.
 63  - Implication: escalate when the chain starts from phishing, scripting, remote-admin, dump tooling, or a user context inconsistent with the asset role; treat recognized security-product or authorized-test lineage as lower suspicion, but continue to artifact and authentication checks before closure.
 64
 65- Do process or file artifacts show dump preparation after the handle access?
 66  - Why: the alert proves seclogon-hosted handle access, not dump completion; process and file artifacts show whether the activity advanced toward credential dumping.
 67  - Focus: endpoint process and file events scoped by `host.id` plus recovered `process.entity_id`, checking `process.command_line`, `process.executable`, `file.path`, and `file.name`. $investigate_3
 68  - Hint: look for LSASS clone or dump-helper command lines, dump-like files, encrypted or renamed dump output, or rapid child creation around the handle event; missing endpoint file telemetry is unresolved, not benign.
 69  - Implication: escalate when the timeline shows dump output, clone or dump helpers, suspicious child creation, or staged files tied to the recovered process context; absence of artifacts lowers urgency only when file coverage is present and the process context is otherwise recognized.
 70
 71- Does the user and host context make this access especially high impact?
 72  - Focus: `host.name`, `user.id`, `user.name`, and `user.domain`, plus asset inventory or alert enrichment for domain controller, jump host, credential vault, or tier-0 administration roles when available.
 73  - Implication: escalate faster when the host or account can expose privileged credentials; ordinary workstation context lowers scope, not suspicion, unless the alert-local tuple and recovered workflow are also recognized.
 74
 75- Do follow-on authentication events suggest the leaked handle was used to pivot?
 76  - Why: MalSecLogon handle leakage is usually a precursor to dumping or token abuse, so later credential use can be more decisive than the access event alone.
 77  - Focus: Windows Security events for the same `host.id` and initial `user.id` pivot, especially `winlog.event_id`, `winlog.logon.type`, `winlog.event_data.TargetLogonId`, `winlog.event_data.SubjectLogonId`, and `source.ip`. $investigate_4
 78  - Hint: if `process.Ext.authentication_id` is available, match it to `winlog.event_data.TargetLogonId` for 4624 session creation and search `winlog.event_data.SubjectLogonId` separately for 4648 explicit-credential use; read `winlog.event_data.TargetUserSid` as the authenticated account and `winlog.event_data.SubjectUserSid` as the initiator when they differ. Missing authentication telemetry is unresolved, not benign.
 79  - Implication: escalate when later events show NewCredentials logon type 9, explicit-credential use, or unexpected remote logons after the LSASS access; do not close solely because no follow-on authentication telemetry was ingested.
 80
 81- If the local evidence remains suspicious or unresolved, do related alerts for this user or host show broader credential abuse?
 82  - Focus: related alerts for the same `user.id` in the last 48 hours, especially credential-access, lateral-movement, privilege-escalation, archive, or suspicious authentication findings. $investigate_0
 83  - Hint: compare related alerts for the same `host.id` only after local evidence is suspicious or unresolved, to decide whether this is confined to one asset or part of a broader credential-theft chain. $investigate_1
 84  - Implication: broaden scope when the same user or host also shows dumping, token abuse, remote-admin, or suspicious authentication alerts that support the local findings; keep the case local when related alerts are absent or clearly separate from the LSASS-handle activity.
 85
 86- Escalate when the alert-local tuple, recovered process context, artifacts, privileged scope, or follow-on credential use support unauthorized handle leakage; close only when the exact tuple and recovered workflow align with recognized security tooling or authorized testing; preserve and escalate when evidence is mixed or missing.
 87
 88### False positive analysis
 89
 90- Seclogon-mediated LSASS handle access with "0x14c0" is an operational anti-pattern outside credential-protection products, EDR diagnostics, and authorized IR or red-team testing. Confirm a benign workflow only when the alert-local tuple, seclogon service context, recovered process identity, `user.id`, `host.id`, and absence of dump artifacts or credential-use follow-on all align. When telemetry cannot prove legitimacy, require confirmation for that exact activity from the security product owner, IR lead, or test plan.
 91- Before creating an exception, verify prior alerts from this rule show the same `winlog.event_data.SourceImage`, `winlog.event_data.CallTrace`, `winlog.event_data.GrantedAccess`, recovered workflow identity, `user.id`, `host.id`, and benign follow-on pattern. Avoid exceptions on `process.name`, "svchost.exe", seclogon, or the access mask alone.
 92
 93### Response and remediation
 94
 95- If confirmed benign, reverse temporary containment and record the exact alert-local tuple, service context, recovered workflow identity, host/user scope, and benign follow-on evidence. Create an exception only for that stable pattern after recurrence or explicit product/test confirmation.
 96- If suspicious but unconfirmed, preserve the alert document, source service GUID/image, recovered process starts, command lines, authentication records, volatile handle/service state when feasible, and any `file.path` dump artifacts before containment. Apply reversible containment first, such as suspending the recovered non-system tool, restricting outbound administrative access, or temporarily limiting the affected `user.id` while scope is unresolved.
 97- If confirmed malicious, isolate the affected host and contain accounts only after preserving the seclogon context, recovered initiator candidates, dump artifacts, and follow-on authentication evidence. If immediate isolation is unavailable, escalate with that evidence set to the team that can act.
 98- For privileged hosts or accounts, activate credential-compromise response and rotate exposed credentials according to host role and account tier. Do not assume enterprise-wide compromise without dump or credential-use evidence, but treat confirmed LSASS dump artifacts on tier-0 assets as urgent.
 99- Eradicate only the tools, scripts, dump files, XOR-protected dumps, staged files, persistence, and entry-path artifacts found during the investigation, then remediate the access path that allowed the Secondary Logon abuse.
100- After containment, reduce recurrence risk by reviewing local administrator and debug-privilege exposure, LSASS protection such as RunAsPPL or Credential Guard where supported, and Secondary Logon service necessity on critical servers.
101"""
102
103setup = """## Setup
104
105This rule requires Sysmon telemetry to be enabled and ingested.
106
107Setup instructions: https://ela.st/sysmon-event-10-setup
108"""
109
110[rule.investigation_fields]
111field_names = [
112    "@timestamp",
113    "host.name",
114    "host.id",
115    "user.name",
116    "user.id",
117    "process.entity_id",
118    "process.executable",
119    "process.command_line",
120    "process.parent.executable",
121    "process.parent.command_line",
122    "winlog.event_data.SourceProcessGUID",
123    "winlog.event_data.SourceImage",
124    "winlog.event_data.TargetImage",
125    "winlog.event_data.GrantedAccess",
126    "winlog.event_data.CallTrace",
127]
128
129[[transform.investigate]]
130label = "Alerts associated with the user"
131description = ""
132providers = [
133  [
134    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
135    { excluded = false, field = "user.id", queryType = "phrase", value = "{{user.id}}", valueType = "string" }
136  ]
137]
138relativeFrom = "now-48h/h"
139relativeTo = "now"
140
141[[transform.investigate]]
142label = "Alerts associated with the host"
143description = ""
144providers = [
145  [
146    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
147    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" }
148  ]
149]
150relativeFrom = "now-48h/h"
151relativeTo = "now"
152
153[[transform.investigate]]
154label = "Process events for the recovered seclogon source process"
155description = ""
156providers = [
157  [
158    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" },
159    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
160    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" }
161  ]
162]
163relativeFrom = "now-1h"
164relativeTo = "now"
165
166[[transform.investigate]]
167label = "Process and file events for the recovered process context"
168description = ""
169providers = [
170  [
171    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" },
172    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
173    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" }
174  ],
175  [
176    { excluded = false, field = "event.category", queryType = "phrase", value = "file", valueType = "string" },
177    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
178    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" }
179  ]
180]
181relativeFrom = "now-1h"
182relativeTo = "now"
183
184[[transform.investigate]]
185label = "Authentication events for the same user on the host"
186description = ""
187providers = [
188  [
189    { excluded = false, field = "event.code", queryType = "phrase", value = "4624", valueType = "string" },
190    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
191    { excluded = false, field = "winlog.event_data.TargetUserSid", queryType = "phrase", value = "{{user.id}}", valueType = "string" }
192  ],
193  [
194    { excluded = false, field = "event.code", queryType = "phrase", value = "4648", valueType = "string" },
195    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
196    { excluded = false, field = "winlog.event_data.SubjectUserSid", queryType = "phrase", value = "{{user.id}}", valueType = "string" }
197  ]
198]
199relativeFrom = "now-24h"
200relativeTo = "now"
201
202[[rule.threat]]
203framework = "MITRE ATT&CK"
204[[rule.threat.technique]]
205id = "T1003"
206name = "OS Credential Dumping"
207reference = "https://attack.mitre.org/techniques/T1003/"
208[[rule.threat.technique.subtechnique]]
209id = "T1003.001"
210name = "LSASS Memory"
211reference = "https://attack.mitre.org/techniques/T1003/001/"
212
213[rule.threat.tactic]
214id = "TA0006"
215name = "Credential Access"
216reference = "https://attack.mitre.org/tactics/TA0006/"