LSASS Access Detected via Attack Surface Reduction

 1title: LSASS Access Detected via Attack Surface Reduction
 2id: a0a278fe-2c0e-4de2-ac3c-c68b08a9ba98
 3status: test
 4description: Detects Access to LSASS Process
 5references:
 6    - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard?WT.mc_id=twitter
 7author: Markus Neis
 8date: 2018/08/26
 9modified: 2022/08/13
10tags:
11    - attack.credential_access
12    - attack.t1003.001
13logsource:
14    product: windows
15    service: windefend
16    definition: 'Requirements:Enabled Block credential stealing from the Windows local security authority subsystem (lsass.exe) from Attack Surface Reduction (GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2)'
17detection:
18    selection:
19        EventID: 1121
20        Path|endswith: '\lsass.exe'
21    filter_thor:
22        ProcessName|startswith: 'C:\Windows\Temp\asgard2-agent\'
23        ProcessName|endswith:
24            - '\thor64.exe'
25            - '\thor.exe'
26    filter_exact:
27        ProcessName:
28            - 'C:\Windows\System32\atiesrxx.exe'
29            - 'C:\Windows\System32\CompatTelRunner.exe'
30            - 'C:\Windows\System32\msiexec.exe'
31            - 'C:\Windows\System32\nvwmi64.exe'
32            - 'C:\Windows\System32\svchost.exe'
33            - 'C:\Windows\System32\Taskmgr.exe'
34            - 'C:\Windows\System32\wbem\WmiPrvSE.exe'
35            - 'C:\Windows\SysWOW64\msiexec.exe'
36    filter_begins:
37        ProcessName|startswith:
38            - 'C:\Windows\System32\DriverStore\'
39            - 'C:\WINDOWS\Installer\'
40            - 'C:\Program Files\'
41            - 'C:\Program Files (x86)\'
42    condition: selection and not 1 of filter_*
43falsepositives:
44    - Google Chrome GoogleUpdate.exe
45    - Some Taskmgr.exe related activity
46level: high