Abnormal LSASS Child and Parent Process Relationships (RedCanary Threat Detection Report)
Detects potential LSASS abuse based on unusual parent-child process lineage patterns. Part of the RedCanary 2023 Threat Detection Report.
Sigma rule (View on GitHub)
1title: Abnormal LSASS Child and Parent Process Relationships (RedCanary Threat Detection Report)
2id: 1afbb031-8721-45b3-b2ed-856515f68558
3status: experimental
4description: |
5 Detects potential LSASS abuse based on unusual parent-child process lineage patterns.
6 Part of the RedCanary 2023 Threat Detection Report.
7references:
8 - https://redcanary.com/threat-detection-report/techniques/lsass-memory/
9author: RedCanary, Sigma formatting by Micah Babinski
10date: 2023/05/10
11tags:
12 - attack.credential_access
13 - attack.t1003.001
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection_1:
19 ParentImage|endswith: '\lsass.exe'
20 Image|endswith:
21 - '\cmd.exe'
22 - '\powershell.exe'
23 - '\regsvr32.exe'
24 - '\mstsc.exe'
25 - '\dllhost.exe'
26 selection_2:
27 ParentImage|endswith:
28 - '\explorer.exe'
29 - '\cmd.exe'
30 - '\lsass.exe'
31 Image|endswith: '\lsass.exe'
32 condition: 1 of selection*
33falsepositives:
34 - Unknown
35level: low```
References
-
Because of the amount of data it stores in memory, LSASS is a common target for adversaries looking to steal sensitive credentials.
Read More
Related rules
- Abnormal LSASS Process Access and Injection (RedCanary Threat Detection Report)
- LSASS Running Under Non-Privileged User Context (RedCanary Threat Detection Report)
- Rundll32 Dumping Credentials with MiniDump Function (RedCanary Threat Detection Report)
- Process Memory Dump via RdrLeakDiag.EXE
- Suspicious Dump64.exe Execution