Abnormal LSASS Child and Parent Process Relationships
Detects potential lsass.exe abuse based on unusual and suspicious parent-child relationships. Inspired by the 2022 Red Canary Threat Detection report.
Sigma rule (View on GitHub)
1title: Abnormal LSASS Child and Parent Process Relationships
2id: 67ba1ddd-4510-42d5-aa78-83bed66bd684
3status: experimental
4description: Detects potential lsass.exe abuse based on unusual and suspicious parent-child
5 relationships. Inspired by the 2022 Red Canary Threat Detection report.
6references:
7 - https://redcanary.com/threat-detection-report/techniques/lsass-memory/
8author: Micah Babinski
9date: 2022/11/03
10tags:
11 - attack.credential_access
12 - attack.t1003.001
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection1:
18 Image|endswith:
19 - '\cmd.exe'
20 - '\powershell.exe'
21 - '\regsvr32.exe'
22 - '\mstsc.exe'
23 - '\dllhost.exe'
24 ParentImage|endswith: \lsass.exe'
25 selection2:
26 Image|endswith: '\lsass.exe'
27 ParentImage|endswith:
28 - '\explorer.exe'
29 - '\cmd.exe'
30 - '\lsass.exe'
31 condition: selection1 or selection2
32falsepositives:
33 - Unknown
34level: medium```
References
-
Because of the amount of data it stores in memory, LSASS is a common target for adversaries looking to steal sensitive credentials.
Read More
Related rules
- Abnormal LSASS Process Access and Injection
- Dumping Process via Sqldumper.exe
- Password Dumper Activity on LSASS
- Time Travel Debugging Utility Usage
- Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)