Suspicious Lsass Process Access

Author: Elastic
Source: upstream

Identifies access attempts to LSASS handle, this may indicate an attempt to dump credentials from Lsass memory.

MITRE ATT&CK coverage

Tactic	Techniques
Credential Access	`T1003` OS Credential Dumping, `T1003.001` OS Credential Dumping: LSASS Memory

Event coverage

Provider	Event ID	Title
Sysmon	10	ProcessAccess

Stages and Predicates

Stage 1: `eql:process`

not process.executable:"?:\\ProgramData\\Microsoft\\Windows Defender\\platform\\*" and not process.name:"procexp64.exe" and not winlog.event_data.CallTrace:"mpengine.dll" and not winlog.event_data.GrantedAccess:0x1000 and winlog.event_data.TargetImage:"?:\\WINDOWS\\system32\\lsass.exe"

Exclusions

Top-level NOT(...) conjuncts — predicates this rule actively suppresses.

Stage	Field	Kind	Excluded values
1	`CallTrace`	match	`mpengine.dll`, `appresolver.dll`, `sysmain.dll`
2	`GrantedAccess`	eq	`0x1000`, `0x1400`, `0x101400`, `0x101000`, `0x101001`, `0x100000`, `0x100040`, `0x3200`, `0x40`, `0x3200`
3	`Image`	wildcard	`?:\ProgramData\Microsoft\Windows Defender\platform\`, `?:\ProgramData\WebEx\webex\`, `?:\Program Files (x86)\`, `?:\Program Files\`, `?:\Windows\CCM\CcmExec.exe`, `?:\Windows\LTSvc\LTSVC.exe`, `?:\Windows\Sysmon.exe`, `?:\Windows\Sysmon64.exe`, `C:\Windows\CynetMS.exe`, `?:\Windows\system32\csrss.exe`, `?:\Windows\System32\lsm.exe`, `?:\Windows\system32\MRT.exe`, `?:\Windows\System32\msiexec.exe`, `?:\Windows\system32\wbem\wmiprvse.exe`, `?:\Windows\system32\wininit.exe`, `?:\Windows\SystemTemp\GUM.tmp\GoogleUpdate.exe`, `?:\Windows\sysWOW64\wbem\wmiprvse.exe`, `C:\oracle\64\02\instantclient_19_13\sqlplus.exe`, `C:\oracle\64\02\instantclient_19_13\sqlldr.exe`, `d:\oracle\product\19\dbhome1\bin\ORACLE.EXE`, `C:\wamp\bin\apache\apache\bin\httpd.exe`, `C:\Windows\system32\netstat.exe`, `C:\PROGRA~1\INFORM~1\apps\jdk\*\jre\bin\java.exe`, `C:\PROGRA~2\CyberCNSAgentV2\osqueryi.exe`, `C:\Utilityw2k19\packetbeat\packetbeat.exe`, `C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Temp\CloudUpdate\vpndownloader.exe`, `C:\ProgramData\Cisco\Cisco Secure Client\Temp\CloudUpdate\vpndownloader.exe`
4	`process_name`	eq	`procexp64.exe`, `procmon.exe`, `procexp.exe`, `Microsoft.Identity.AadConnect.Health.AadSync.Host.ex`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`winlog.event_data.TargetImage`	wildcard	`?:\WINDOWS\system32\lsass.exe` corpus 4 (elastic 4)