User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'
The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA.
Sigma rule (View on GitHub)
1title: User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'
2id: 6daac7fc-77d1-449a-a71a-e6b4d59a0e54
3status: test
4description: The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA.
5references:
6 - https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1
7author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community
8date: 2019-10-24
9modified: 2022-12-25
10tags:
11 - attack.credential-access
12 - attack.lateral-movement
13 - attack.privilege-escalation
14 - attack.t1558.003
15logsource:
16 product: windows
17 service: security
18detection:
19 selection:
20 EventID: 4673
21 Service: 'LsaRegisterLogonProcess()'
22 Keywords: '0x8010000000000000' # failure
23 condition: selection
24falsepositives:
25 - Unknown
26level: high
References
Related rules
- Register new Logon Process by Rubeus
- HackTool - KrbRelayUp Execution
- HackTool - Rubeus Execution
- HackTool - Rubeus Execution - ScriptBlock
- Uncommon Outbound Kerberos Connection - Security