Abnormal LSASS Process Access and Injection

Nov 9, 2022 · attack.credential_access attack.t1003.001 ·

Detects obviously suspicious cross-process events targetting lsass.exe. Inspired by the 2022 Red Canary Threat Detection report.

Sigma rule (View on GitHub)

 1title: Abnormal LSASS Process Access and Injection
 2id: 23fac7e9-3c44-4b76-891b-72c4d44e1964
 3status: experimental
 4description: Detects obviously suspicious cross-process events targetting lsass.exe.
 5    Inspired by the 2022 Red Canary Threat Detection report.
 6references:
 7    - https://redcanary.com/threat-detection-report/techniques/lsass-memory/
 8author: Micah Babinski
 9date: 2022/11/03
10tags:
11    - attack.credential_access
12    - attack.t1003.001
13logsource:
14    category: process_access
15    product: windows
16detection:
17    selection:
18        SourceImage|endswith:
19            - '\powershell.exe'
20            - '\taskmgr.exe'
21            - '\rundll32.exe'
22            - '\procdump.exe'
23            - '\procexp.exe'
24        TargetImage|endswith: '\lsass.exe'
25    condition: selection
26falsepositives:
27    - Unknown
28level: medium```

References

LSASS Memory - Red Canary Threat Detection Report

Because of the amount of data it stores in memory, LSASS is a common target for adversaries looking to steal sensitive credentials.

Read More

Related rules

Abnormal LSASS Child and Parent Process Relationships

Abnormal LSASS Process Access and Injection

Sigma rule (View on GitHub)

References

LSASS Memory - Red Canary Threat Detection Report

Related rules