LSASS Running Under Non-Privileged User Context (RedCanary Threat Detection Report)
Detects instances of LSASS running under any non-privileged user context, which can indicate abuse. Part of the RedCanary 2023 Threat Detection Report.
Sigma rule (View on GitHub)
1title: LSASS Running Under Non-Privileged User Context (RedCanary Threat Detection Report)
2id: c6624640-de9d-4933-a3dd-261cdeafdd18
3status: experimental
4description: |
5 Detects instances of LSASS running under any non-privileged user context, which can indicate abuse.
6 Part of the RedCanary 2023 Threat Detection Report.
7references:
8 - https://redcanary.com/threat-detection-report/techniques/lsass-memory/
9author: RedCanary, Sigma formatting by Micah Babinski
10date: 2023/05/10
11tags:
12 - attack.credential_access
13 - attack.t1003.001
14logsource:
15 product: windows
16 service: security
17detection:
18 selection:
19 EventID: 4688
20 NewProcessName|endswith: '\lsass.exe'
21 filter:
22 SubjectUserSid: 'S-1-5-18'
23 condition: selection and not filter
24falsepositives:
25 - Unknown
26level: low```
References
-
Because of the amount of data it stores in memory, LSASS is a common target for adversaries looking to steal sensitive credentials.
Read More
Related rules
- Abnormal LSASS Child and Parent Process Relationships (RedCanary Threat Detection Report)
- Abnormal LSASS Process Access and Injection (RedCanary Threat Detection Report)
- Rundll32 Dumping Credentials with MiniDump Function (RedCanary Threat Detection Report)
- Mimikatz Command Line With Ticket Export
- Abnormal LSASS Child and Parent Process Relationships