Potentially Suspicious GrantedAccess Flags On LSASS

calendar Dec 4, 2023 · attack.credential_access attack.t1003.001 attack.s0002  ·
Share on: linkedin copy

Detects process access requests to LSASS process with potentially suspicious access flags

Sigma rule (View on GitHub)

  1title: Potentially Suspicious GrantedAccess Flags On LSASS
  2id: a18dd26b-6450-46de-8c91-9659150cf088
  3related:
  4    - id: 32d0d3e2-e58d-4d41-926b-18b520b2b32d
  5      type: similar
  6status: experimental
  7description: Detects process access requests to LSASS process with potentially suspicious access flags
  8references:
  9    - https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights
 10    - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow
 11    - https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
 12    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
 13    - http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf
 14author: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community
 15date: 2021/11/22
 16modified: 2023/11/29
 17tags:
 18    - attack.credential_access
 19    - attack.t1003.001
 20    - attack.s0002
 21logsource:
 22    category: process_access
 23    product: windows
 24detection:
 25    selection_target:
 26        TargetImage|endswith: '\lsass.exe'
 27    selection_access:
 28        - GrantedAccess|endswith:
 29              # - '10'  # covered in rule 678dfc63-fefb-47a5-a04c-26bcf8cc9f65
 30              - '30'
 31              - '50'
 32              - '70'
 33              - '90'
 34              - 'B0'
 35              - 'D0'
 36              - 'F0'
 37              - '18'
 38              - '38'
 39              - '58'
 40              - '78'
 41              - '98'
 42              - 'B8'
 43              - 'D8'
 44              - 'F8'
 45              - '1A'
 46              - '3A'
 47              - '5A'
 48              - '7A'
 49              - '9A'
 50              - 'BA'
 51              - 'DA'
 52              - 'FA'
 53              - '0x14C2'  # https://github.com/b4rtik/ATPMiniDump/blob/76304f93b390af3bb66e4f451ca16562a479bdc9/ATPMiniDump/ATPMiniDump.c
 54        - GrantedAccess|startswith:
 55              - '0x100000'
 56              - '0x1418'    # car.2019-04-004
 57              - '0x1438'    # car.2019-04-004
 58              - '0x143a'    # car.2019-04-004
 59              - '0x1f0fff'
 60              - '0x1f1fff'
 61              - '0x1f2fff'
 62              - '0x1f3fff'
 63              - '0x40'
 64              # - '0x1000'  # minimum access requirements to query basic info from service
 65              # - '0x1010'    # car.2019-04-004
 66              # - '0x1400'
 67              # - '0x1410'    # car.2019-04-004 # Covered by 678dfc63-fefb-47a5-a04c-26bcf8cc9f65
 68    filter_main_generic:
 69        # When using this rule. Remove this filter and replace it by the path of the specific AV you use
 70        SourceImage|contains:
 71            - ':\Program Files (x86)\'
 72            - ':\Program Files\'
 73            - ':\Windows\System32\'
 74            - ':\Windows\SysWOW64\'
 75    filter_optional_malwarebytes:
 76        SourceImage|endswith: ':\ProgramData\MALWAREBYTES\MBAMSERVICE\ctlrupdate\mbupdatr.exe'
 77    filter_optional_vscode:
 78        SourceImage|endswith: '\AppData\Local\Programs\Microsoft VS Code\Code.exe'
 79    filter_main_windefend_1:
 80        SourceImage|contains: ':\ProgramData\Microsoft\Windows Defender\'
 81        SourceImage|endswith: '\MsMpEng.exe'
 82    filter_main_windefend_2:
 83        CallTrace|contains|all:
 84            - '|?:\ProgramData\Microsoft\Windows Defender\Definition Updates\{'
 85            - '}\mpengine.dll+'
 86        GrantedAccess: '0x1418'
 87    filter_main_windefend_3:
 88        CallTrace|contains:
 89            - '|c:\program files\windows defender\mprtp.dll'
 90            - '|c:\program files\windows defender\MpClient.dll'
 91    filter_optional_vmwaretools:
 92        SourceImage|contains: ':\ProgramData\VMware\VMware Tools\'
 93        SourceImage|endswith: '\vmtoolsd.exe'
 94    filter_optional_sysinternals_process_explorer:
 95        SourceImage|endswith:
 96            - '\PROCEXP64.EXE'
 97            - '\PROCEXP.EXE'
 98        GrantedAccess: '0x40'
 99    filter_optional_mbami:
100        SourceImage|endswith: '\MBAMInstallerService.exe'
101        GrantedAccess: '0x40'
102    filter_optional_nextron:
103        SourceImage|endswith:
104            - '\aurora-agent-64.exe'
105            - '\aurora-agent.exe'
106            - '\thor.exe'
107            - '\thor64.exe'
108        GrantedAccess: '0x40'
109    filter_main_explorer:
110        SourceImage|endswith: '\explorer.exe'
111        GrantedAccess: '0x401'
112    filter_optional_sysinternals_handle:
113        SourceImage|endswith:
114            - '\handle.exe'
115            - '\handle64.exe'
116        GrantedAccess: '0x40'
117    filter_optional_webex:
118        SourceImage|endswith: '\AppData\Local\WebEx\WebexHost.exe'
119        GrantedAccess: '0x401'
120    filter_optional_steam_apps:
121        SourceImage|contains: '\SteamLibrary\steamapps\'
122    condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
123falsepositives:
124    - Legitimate software such as AV and EDR
125level: medium

References

Related rules

to-top