Potentially Suspicious GrantedAccess Flags On LSASS
Detects process access requests to LSASS process with potentially suspicious access flags
Sigma rule (View on GitHub)
1title: Potentially Suspicious GrantedAccess Flags On LSASS
2id: a18dd26b-6450-46de-8c91-9659150cf088
3related:
4 - id: 32d0d3e2-e58d-4d41-926b-18b520b2b32d
5 type: similar
6status: test
7description: Detects process access requests to LSASS process with potentially suspicious access flags
8references:
9 - https://learn.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights
10 - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow
11 - https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
12 - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
13 - https://web.archive.org/web/20230420013146/http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf
14author: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community
15date: 2021-11-22
16modified: 2023-11-29
17tags:
18 - attack.credential-access
19 - attack.t1003.001
20 - attack.s0002
21logsource:
22 category: process_access
23 product: windows
24detection:
25 selection_target:
26 TargetImage|endswith: '\lsass.exe'
27 selection_access:
28 - GrantedAccess|endswith:
29 # - '10' # covered in rule 678dfc63-fefb-47a5-a04c-26bcf8cc9f65
30 - '30'
31 - '50'
32 - '70'
33 - '90'
34 - 'B0'
35 - 'D0'
36 - 'F0'
37 - '18'
38 - '38'
39 - '58'
40 - '78'
41 - '98'
42 - 'B8'
43 - 'D8'
44 - 'F8'
45 - '1A'
46 - '3A'
47 - '5A'
48 - '7A'
49 - '9A'
50 - 'BA'
51 - 'DA'
52 - 'FA'
53 - '0x14C2' # https://github.com/b4rtik/ATPMiniDump/blob/76304f93b390af3bb66e4f451ca16562a479bdc9/ATPMiniDump/ATPMiniDump.c
54 - GrantedAccess|startswith:
55 - '0x100000'
56 - '0x1418' # car.2019-04-004
57 - '0x1438' # car.2019-04-004
58 - '0x143a' # car.2019-04-004
59 - '0x1f0fff'
60 - '0x1f1fff'
61 - '0x1f2fff'
62 - '0x1f3fff'
63 - '0x40'
64 # - '0x1000' # minimum access requirements to query basic info from service
65 # - '0x1010' # car.2019-04-004
66 # - '0x1400'
67 # - '0x1410' # car.2019-04-004 # Covered by 678dfc63-fefb-47a5-a04c-26bcf8cc9f65
68 filter_main_generic:
69 # When using this rule. Remove this filter and replace it by the path of the specific AV you use
70 SourceImage|contains:
71 - ':\Program Files (x86)\'
72 - ':\Program Files\'
73 - ':\Windows\System32\'
74 - ':\Windows\SysWOW64\'
75 filter_optional_malwarebytes:
76 SourceImage|endswith: ':\ProgramData\MALWAREBYTES\MBAMSERVICE\ctlrupdate\mbupdatr.exe'
77 filter_optional_vscode:
78 SourceImage|endswith: '\AppData\Local\Programs\Microsoft VS Code\Code.exe'
79 filter_main_windefend_1:
80 SourceImage|contains: ':\ProgramData\Microsoft\Windows Defender\'
81 SourceImage|endswith: '\MsMpEng.exe'
82 filter_main_windefend_2:
83 CallTrace|contains|all:
84 - '|?:\ProgramData\Microsoft\Windows Defender\Definition Updates\{'
85 - '}\mpengine.dll+'
86 GrantedAccess: '0x1418'
87 filter_main_windefend_3:
88 CallTrace|contains:
89 - '|c:\program files\windows defender\mprtp.dll'
90 - '|c:\program files\windows defender\MpClient.dll'
91 filter_optional_vmwaretools:
92 SourceImage|contains: ':\ProgramData\VMware\VMware Tools\'
93 SourceImage|endswith: '\vmtoolsd.exe'
94 filter_optional_sysinternals_process_explorer:
95 SourceImage|endswith:
96 - '\PROCEXP64.EXE'
97 - '\PROCEXP.EXE'
98 GrantedAccess: '0x40'
99 filter_optional_mbami:
100 SourceImage|endswith: '\MBAMInstallerService.exe'
101 GrantedAccess: '0x40'
102 filter_optional_nextron:
103 SourceImage|endswith:
104 - '\aurora-agent-64.exe'
105 - '\aurora-agent.exe'
106 - '\thor.exe'
107 - '\thor64.exe'
108 GrantedAccess: '0x40'
109 filter_main_explorer:
110 SourceImage|endswith: '\explorer.exe'
111 GrantedAccess: '0x401'
112 filter_optional_sysinternals_handle:
113 SourceImage|endswith:
114 - '\handle.exe'
115 - '\handle64.exe'
116 GrantedAccess: '0x40'
117 filter_optional_webex:
118 SourceImage|endswith: '\AppData\Local\WebEx\WebexHost.exe'
119 GrantedAccess: '0x401'
120 filter_optional_steam_apps:
121 SourceImage|contains: '\SteamLibrary\steamapps\'
122 condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
123falsepositives:
124 - Legitimate software such as AV and EDR
125level: medium
References
-
The Microsoft Windows security model enables you to control access to process objects. For more information about security, see Access-Control Model.
Read More -
In part I of Hunting for In-Memory Mimikatz with Sysmon and ELK, I talked about focusing on specific Windows DLLs that Mimikatz sti...
Read More -
Hunting for Credentials Dumping in Windows Environment - Download as a PDF or view online for free
Read More -
Formed in 2009, the Archive Team (not to be confused with the archive.org Archive-It Team) is a rogue archivist collective dedicated to saving copies of rapidly dying or deleted websites for the sa...
Read More
Related rules
- HackTool - Generic Process Access
- Credential Dumping Attempt Via WerFault
- LSASS Access From Potentially White-Listed Processes
- LSASS Memory Access by Tool With Dump Keyword In Name
- Mimikatz Use