Abnormal LSASS Child and Parent Process Relationships

Nov 9, 2022 · attack.credential_access attack.t1003.001 ·

Detects potential lsass.exe abuse based on unusual and suspicious parent-child relationships. Inspired by the 2022 Red Canary Threat Detection report.

Sigma rule (View on GitHub)

 1title: Abnormal LSASS Child and Parent Process Relationships
 2id: 67ba1ddd-4510-42d5-aa78-83bed66bd684
 3status: experimental
 4description: Detects potential lsass.exe abuse based on unusual and suspicious parent-child
 5    relationships. Inspired by the 2022 Red Canary Threat Detection report.
 6references:
 7    - https://redcanary.com/threat-detection-report/techniques/lsass-memory/
 8author: Micah Babinski
 9date: 2022/11/03
10tags:
11    - attack.credential_access
12    - attack.t1003.001
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection1:
18        Image|endswith:
19            - '\cmd.exe'
20            - '\powershell.exe'
21            - '\regsvr32.exe'
22            - '\mstsc.exe'
23            - '\dllhost.exe'
24        ParentImage|endswith: \lsass.exe'
25    selection2:
26        Image|endswith: '\lsass.exe'
27        ParentImage|endswith:
28            - '\explorer.exe'
29            - '\cmd.exe'
30            - '\lsass.exe'
31    condition: selection1 or selection2
32falsepositives:
33    - Unknown
34level: medium```

References

LSASS Memory - Red Canary Threat Detection Report

Because of the amount of data it stores in memory, LSASS is a common target for adversaries looking to steal sensitive credentials.

Read More

Related rules

Abnormal LSASS Process Access and Injection

Abnormal LSASS Child and Parent Process Relationships

Sigma rule (View on GitHub)

References

LSASS Memory - Red Canary Threat Detection Report

Related rules