Suspicious LSASS Access Via MalSecLogon

 1title: Suspicious LSASS Access Via MalSecLogon
 2id: 472159c5-31b9-4f56-b794-b766faa8b0a7
 3status: test
 4description: Detects suspicious access to LSASS handle via a call trace to "seclogon.dll" with a suspicious access right.
 5references:
 6    - https://twitter.com/SBousseaden/status/1541920424635912196
 7    - https://github.com/elastic/detection-rules/blob/2bc1795f3d7bcc3946452eb4f07ae799a756d94e/rules/windows/credential_access_lsass_handle_via_malseclogon.toml
 8    - https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html
 9author: Samir Bousseaden (original elastic rule), Nasreddine Bencherchali (Nextron Systems)
10date: 2022-06-29
11tags:
12    - attack.credential-access
13    - attack.t1003.001
14logsource:
15    category: process_access
16    product: windows
17detection:
18    selection:
19        TargetImage|endswith: '\lsass.exe'
20        SourceImage|endswith: '\svchost.exe'
21        GrantedAccess: '0x14c0'
22        CallTrace|contains: 'seclogon.dll'
23    condition: selection
24falsepositives:
25    - Unknown
26level: high

References

• x.com

  
  Read More

• detection-rules/rules/windows/credential_access_lsass_handle_via_malseclogon.toml at 2bc1795f3d7bcc3946452eb4f07ae799a756d94e · elastic/detection-rules

  

  Contribute to elastic/detection-rules development by creating an account on GitHub.

  
  Read More

• 

  by splinter_code - 28 June 2022   After my previous post "The hidden side of Seclogon part 2: Abusing leaked handles to dump LSASS memory" in which i described how to leverage the seclogon service ...

  
  Read More

Related rules

• APT31 Judgement Panda Activity
• Cred Dump Tools Dropped Files
• Credential Dumping Activity By Python Based Tool
• Credential Dumping Attempt Via WerFault
• Credential Dumping Tools Service Execution - Security