LSASS Process Reconnaissance Via Findstr.EXE

Aug 12, 2024 · attack.credential-access attack.t1552.006 ·

Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID

Sigma rule (View on GitHub)

 1title: LSASS Process Reconnaissance Via Findstr.EXE
 2id: fe63010f-8823-4864-a96b-a7b4a0f7b929
 3status: experimental
 4description: Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID
 5references:
 6    - https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1
 7author: Florian Roth (Nextron Systems)
 8date: 2022-08-12
 9modified: 2024-06-04
10tags:
11    - attack.credential-access
12    - attack.t1552.006
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection_findstr_img:
18        - Image|endswith:
19              - '\find.exe'
20              - '\findstr.exe'
21        - OriginalFileName:
22              - 'FIND.EXE'
23              - 'FINDSTR.EXE'
24    selection_findstr_cli:
25        CommandLine|contains: 'lsass'
26    selection_special:
27        CommandLine|contains|windash:
28            - ' /i "lsass'
29            - ' /i lsass.exe'
30            - 'findstr "lsass'
31            - 'findstr lsass'
32            - 'findstr.exe "lsass'
33            - 'findstr.exe lsass'
34    condition: all of selection_findstr_* or selection_special
35falsepositives:
36    - Unknown
37level: high

References

Cisco Talos shares insights related to recent cyber attack on Cisco

Update History Aug. 10, 2022 Adding clarifying details on activity involving active directory. Aug. 10, 2022 Update made to the Cisco Response and Recommendations section related to MFA.

Read More

LSASS Process Reconnaissance Via Findstr.EXE

Sigma rule (View on GitHub)

References

Cisco Talos shares insights related to recent cyber attack on Cisco

Related rules