Abnormal LSASS Process Access and Injection
Detects obviously suspicious cross-process events targetting lsass.exe. Inspired by the 2022 Red Canary Threat Detection report.
Sigma rule (View on GitHub)
1title: Abnormal LSASS Process Access and Injection
2id: 23fac7e9-3c44-4b76-891b-72c4d44e1964
3status: experimental
4description: Detects obviously suspicious cross-process events targetting lsass.exe.
5 Inspired by the 2022 Red Canary Threat Detection report.
6references:
7 - https://redcanary.com/threat-detection-report/techniques/lsass-memory/
8author: Micah Babinski
9date: 2022/11/03
10tags:
11 - attack.credential_access
12 - attack.t1003.001
13logsource:
14 category: process_access
15 product: windows
16detection:
17 selection:
18 SourceImage|endswith:
19 - '\powershell.exe'
20 - '\taskmgr.exe'
21 - '\rundll32.exe'
22 - '\procdump.exe'
23 - '\procexp.exe'
24 TargetImage|endswith: '\lsass.exe'
25 condition: selection
26falsepositives:
27 - Unknown
28level: medium```
References
-
Because of the amount of data it stores in memory, LSASS is a common target for adversaries looking to steal sensitive credentials.
Read More
Related rules
- Abnormal LSASS Child and Parent Process Relationships
- Dumping Process via Sqldumper.exe
- Password Dumper Activity on LSASS
- Time Travel Debugging Utility Usage
- Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)