LSASS Access Detected via Attack Surface Reduction
Detects Access to LSASS Process
Sigma rule (View on GitHub)
1title: LSASS Access Detected via Attack Surface Reduction
2id: a0a278fe-2c0e-4de2-ac3c-c68b08a9ba98
3status: test
4description: Detects Access to LSASS Process
5references:
6 - https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction
7author: Markus Neis
8date: 2018-08-26
9modified: 2022-08-13
10tags:
11 - attack.credential-access
12 - attack.t1003.001
13logsource:
14 product: windows
15 service: windefend
16 definition: 'Requirements:Enabled Block credential stealing from the Windows local security authority subsystem (lsass.exe) from Attack Surface Reduction (GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2)'
17detection:
18 selection:
19 EventID: 1121
20 Path|endswith: '\lsass.exe'
21 filter_thor:
22 ProcessName|startswith: 'C:\Windows\Temp\asgard2-agent\'
23 ProcessName|endswith:
24 - '\thor64.exe'
25 - '\thor.exe'
26 filter_exact:
27 ProcessName:
28 - 'C:\Windows\System32\atiesrxx.exe'
29 - 'C:\Windows\System32\CompatTelRunner.exe'
30 - 'C:\Windows\System32\msiexec.exe'
31 - 'C:\Windows\System32\nvwmi64.exe'
32 - 'C:\Windows\System32\svchost.exe'
33 - 'C:\Windows\System32\Taskmgr.exe'
34 - 'C:\Windows\System32\wbem\WmiPrvSE.exe'
35 - 'C:\Windows\SysWOW64\msiexec.exe'
36 filter_begins:
37 ProcessName|startswith:
38 - 'C:\Windows\System32\DriverStore\'
39 - 'C:\WINDOWS\Installer\'
40 - 'C:\Program Files\'
41 - 'C:\Program Files (x86)\'
42 condition: selection and not 1 of filter_*
43falsepositives:
44 - Google Chrome GoogleUpdate.exe
45 - Some Taskmgr.exe related activity
46level: high
References
-
Attack surface reduction rules can help prevent exploits from using apps and scripts to infect devices with malware.
Read More
Related rules
- APT31 Judgement Panda Activity
- Cred Dump Tools Dropped Files
- Credential Dumping Activity By Python Based Tool
- Credential Dumping Attempt Via WerFault
- Credential Dumping Tools Service Execution - Security