LSASS Access From Non System Account

 1title: LSASS Access From Non System Account
 2id: 962fe167-e48d-4fd6-9974-11e5b9a5d6d1
 3status: test
 4description: Detects potential mimikatz-like tools accessing LSASS from non system account
 5references:
 6    - https://threathunterplaybook.com/hunts/windows/170105-LSASSMemoryReadAccess/notebook.html
 7author: Roberto Rodriguez @Cyb3rWard0g
 8date: 2019-06-20
 9modified: 2023-12-11
10tags:
11    - attack.credential-access
12    - attack.t1003.001
13logsource:
14    product: windows
15    service: security
16detection:
17    selection:
18        EventID:
19            - 4663
20            - 4656
21        AccessMask:
22            - '0x100000'
23            - '0x1010'    # car.2019-04-004
24            - '0x1400'
25            - '0x1410'    # car.2019-04-004
26            - '0x1418'    # car.2019-04-004
27            - '0x1438'    # car.2019-04-004
28            - '0x143a'    # car.2019-04-004
29            - '0x1f0fff'
30            - '0x1f1fff'
31            - '0x1f2fff'
32            - '0x1f3fff'
33            - '0x40'
34            - '143a'    # car.2019-04-004
35            - '1f0fff'
36            - '1f1fff'
37            - '1f2fff'
38            - '1f3fff'
39            # - '0x1000'  # minimum access requirements to query basic info from service
40        ObjectType: 'Process'
41        ObjectName|endswith: '\lsass.exe'
42    filter_main_service_account:
43        SubjectUserName|endswith: '$'
44    filter_main_generic:
45        ProcessName|contains:
46            # Legitimate AV and EDR solutions
47            - ':\Program Files\'
48            - ':\Program Files (x86)\'
49    filter_main_wmiprvse:
50        ProcessName: 'C:\Windows\System32\wbem\WmiPrvSE.exe'
51        AccessMask: '0x1410'
52    filter_optional_steam:
53        ProcessName|contains: '\SteamLibrary\steamapps\'
54    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
55falsepositives:
56    - Unknown
57level: medium