Suspicious LSASS Access Via MalSecLogon
Detects suspicious access to LSASS handle via a call trace to "seclogon.dll" with a suspicious access right.
Sigma rule (View on GitHub)
1title: Suspicious LSASS Access Via MalSecLogon
2id: 472159c5-31b9-4f56-b794-b766faa8b0a7
3status: test
4description: Detects suspicious access to LSASS handle via a call trace to "seclogon.dll" with a suspicious access right.
5references:
6 - https://twitter.com/SBousseaden/status/1541920424635912196
7 - https://github.com/elastic/detection-rules/blob/2bc1795f3d7bcc3946452eb4f07ae799a756d94e/rules/windows/credential_access_lsass_handle_via_malseclogon.toml
8 - https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html
9author: Samir Bousseaden (original elastic rule), Nasreddine Bencherchali (Nextron Systems)
10date: 2022/06/29
11tags:
12 - attack.credential_access
13 - attack.t1003.001
14logsource:
15 category: process_access
16 product: windows
17detection:
18 selection:
19 TargetImage|endswith: '\lsass.exe'
20 SourceImage|endswith: '\svchost.exe'
21 GrantedAccess: '0x14c0'
22 CallTrace|contains: 'seclogon.dll'
23 condition: selection
24falsepositives:
25 - Unknown
26level: high
References
-
-
-
by splinter_code - 28 June 2022 After my previous post "The hidden side of Seclogon part 2: Abusing leaked handles to dump LSASS memory" in which i described how to leverage the seclogon service ...
Read More
Related rules
- Credential Dumping Activity By Python Based Tool
- Credential Dumping Attempt Via WerFault
- HackTool - Generic Process Access
- LSASS Access From Potentially White-Listed Processes
- LSASS Memory Access by Tool With Dump Keyword In Name