Potentially Suspicious AccessMask Requested From LSASS

calendar Dec 21, 2023 · attack.credential_access car.2019-04-004 attack.t1003.001  ·
Share on: linkedin copy

Detects process handle on LSASS process with certain access mask

Sigma rule (View on GitHub)

  1title: Potentially Suspicious AccessMask Requested From LSASS
  2id: 4a1b6da0-d94f-4fc3-98fc-2d9cb9e5ee76
  3status: experimental
  4description: Detects process handle on LSASS process with certain access mask
  5references:
  6    - https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
  7    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
  8author: Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update)
  9date: 2019/11/01
 10modified: 2023/12/19
 11tags:
 12    - attack.credential_access
 13    - car.2019-04-004
 14    - attack.t1003.001
 15logsource:
 16    product: windows
 17    service: security
 18detection:
 19    selection_1:
 20        EventID: 4656 # A handle to an object was requested.
 21        ObjectName|endswith: '\lsass.exe'
 22        AccessMask|contains:
 23            - '0x40'
 24            - '0x1400'
 25            # - '0x1000'  # minimum access requirements to query basic info from service
 26            - '0x100000'
 27            - '0x1410'    # car.2019-04-004
 28            - '0x1010'    # car.2019-04-004
 29            - '0x1438'    # car.2019-04-004
 30            - '0x143a'    # car.2019-04-004
 31            - '0x1418'    # car.2019-04-004
 32            - '0x1f0fff'
 33            - '0x1f1fff'
 34            - '0x1f2fff'
 35            - '0x1f3fff'
 36    selection_2:
 37        EventID: 4663 # An attempt was made to access an object
 38        ObjectName|endswith: '\lsass.exe'
 39        AccessList|contains:
 40            - '4484'
 41            - '4416'
 42    filter_main_specific:
 43        ProcessName|endswith:
 44            - '\csrss.exe'
 45            - '\GamingServices.exe'
 46            - '\lsm.exe'
 47            - '\MicrosoftEdgeUpdate.exe'
 48            - '\minionhost.exe'  # Cyberreason
 49            - '\MRT.exe'         # MS Malware Removal Tool
 50            - '\MsMpEng.exe'     # Defender
 51            - '\perfmon.exe'
 52            - '\procexp.exe'
 53            - '\procexp64.exe'
 54            - '\svchost.exe'
 55            - '\taskmgr.exe'
 56            - '\thor.exe'        # THOR
 57            - '\thor64.exe'      # THOR
 58            - '\vmtoolsd.exe'
 59            - '\VsTskMgr.exe'    # McAfee Enterprise
 60            - '\wininit.exe'
 61            - '\wmiprvse.exe'
 62            - 'RtkAudUService64' # https://medium.com/falconforce/the-curious-case-of-realtek-and-lsass-33fc0c8482ff
 63        ProcessName|contains:
 64            - ':\Program Files (x86)\'
 65            - ':\Program Files\'
 66            - ':\ProgramData\Microsoft\Windows Defender\Platform\'
 67            - ':\Windows\SysNative\'
 68            - ':\Windows\System32\'
 69            - ':\Windows\SysWow64\'
 70            - ':\Windows\Temp\asgard2-agent\'
 71    filter_main_generic:
 72        ProcessName|contains: ':\Program Files'  # too many false positives with legitimate AV and EDR solutions
 73    filter_main_exact:
 74        ProcessName|endswith:
 75            - ':\Windows\System32\taskhostw.exe'
 76            - ':\Windows\System32\msiexec.exe'
 77            - ':\Windows\CCM\CcmExec.exe'
 78    filter_main_sysmon:
 79        ProcessName|endswith: ':\Windows\Sysmon64.exe'
 80        AccessList|contains: '%%4484'
 81    filter_main_aurora:
 82        ProcessName|contains: ':\Windows\Temp\asgard2-agent-sc\aurora\'
 83        ProcessName|endswith: '\aurora-agent-64.exe'
 84        AccessList|contains: '%%4484'
 85    filter_main_scenarioengine:
 86        # Example: C:\a70de9569c3a5aa22184ef52a890177b\x64\SCENARIOENGINE.EXE
 87        ProcessName|endswith: '\x64\SCENARIOENGINE.EXE'
 88        AccessList|contains: '%%4484'
 89    filter_main_avira1:
 90        ProcessName|contains|all:
 91            - ':\Users\'
 92            - '\AppData\Local\Temp\is-'
 93        ProcessName|endswith: '\avira_system_speedup.tmp'
 94        AccessList|contains: '%%4484'
 95    filter_main_avira2:
 96        ProcessName|contains: ':\Windows\Temp\'
 97        ProcessName|endswith: '\avira_speedup_setup_update.tmp'
 98        AccessList|contains: '%%4484'
 99    filter_main_snmp:
100        ProcessName|endswith: ':\Windows\System32\snmp.exe'
101        AccessList|contains: '%%4484'
102    filter_main_googleupdate:
103        ProcessName|contains: ':\Windows\SystemTemp\'
104        ProcessName|endswith: '\GoogleUpdate.exe'
105        AccessList|contains: '%%4484'
106    filter_optional_procmon:
107        ProcessName|endswith:
108            - '\procmon64.exe'
109            - '\procmon.exe'
110        AccessList|contains: '%%4484'
111    condition: 1 of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
112falsepositives:
113    - Legitimate software accessing LSASS process for legitimate reason; update the whitelist with it
114level: medium

References

Related rules

to-top