Detection rules › Sigma

Potentially Suspicious GrantedAccess Flags On LSASS

Status
test
Severity
medium
Author
Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community
Source
github.com/SigmaHQ/sigma

Detects process access requests to LSASS process with potentially suspicious access flags

MITRE ATT&CK coverage

TacticTechniques
Credential AccessT1003.001 OS Credential Dumping: LSASS Memory

Event coverage

ProviderEventTitle
SysmonEvent ID 10ProcessAccess

Rule body yaml

title: Potentially Suspicious GrantedAccess Flags On LSASS
id: a18dd26b-6450-46de-8c91-9659150cf088
related:
    - id: 32d0d3e2-e58d-4d41-926b-18b520b2b32d
      type: similar
status: test
description: Detects process access requests to LSASS process with potentially suspicious access flags
references:
    - https://learn.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights
    - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow
    - https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
    - https://web.archive.org/web/20230420013146/http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf
author: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community
date: 2021-11-22
modified: 2023-11-29
tags:
    - attack.credential-access
    - attack.t1003.001
    - attack.s0002
logsource:
    category: process_access
    product: windows
detection:
    selection_target:
        TargetImage|endswith: '\lsass.exe'
    selection_access:
        - GrantedAccess|endswith:
              # - '10'  # covered in rule 678dfc63-fefb-47a5-a04c-26bcf8cc9f65
              - '30'
              - '50'
              - '70'
              - '90'
              - 'B0'
              - 'D0'
              - 'F0'
              - '18'
              - '38'
              - '58'
              - '78'
              - '98'
              - 'B8'
              - 'D8'
              - 'F8'
              - '1A'
              - '3A'
              - '5A'
              - '7A'
              - '9A'
              - 'BA'
              - 'DA'
              - 'FA'
              - '0x14C2'  # https://github.com/b4rtik/ATPMiniDump/blob/76304f93b390af3bb66e4f451ca16562a479bdc9/ATPMiniDump/ATPMiniDump.c
        - GrantedAccess|startswith:
              - '0x100000'
              - '0x1418'    # car.2019-04-004
              - '0x1438'    # car.2019-04-004
              - '0x143a'    # car.2019-04-004
              - '0x1f0fff'
              - '0x1f1fff'
              - '0x1f2fff'
              - '0x1f3fff'
              - '0x40'
              # - '0x1000'  # minimum access requirements to query basic info from service
              # - '0x1010'    # car.2019-04-004
              # - '0x1400'
              # - '0x1410'    # car.2019-04-004 # Covered by 678dfc63-fefb-47a5-a04c-26bcf8cc9f65
    filter_main_generic:
        # When using this rule. Remove this filter and replace it by the path of the specific AV you use
        SourceImage|contains:
            - ':\Program Files (x86)\'
            - ':\Program Files\'
            - ':\Windows\System32\'
            - ':\Windows\SysWOW64\'
    filter_optional_malwarebytes:
        SourceImage|endswith: ':\ProgramData\MALWAREBYTES\MBAMSERVICE\ctlrupdate\mbupdatr.exe'
    filter_optional_vscode:
        SourceImage|endswith: '\AppData\Local\Programs\Microsoft VS Code\Code.exe'
    filter_main_windefend_1:
        SourceImage|contains: ':\ProgramData\Microsoft\Windows Defender\'
        SourceImage|endswith: '\MsMpEng.exe'
    filter_main_windefend_2:
        CallTrace|contains|all:
            - '|?:\ProgramData\Microsoft\Windows Defender\Definition Updates\{'
            - '}\mpengine.dll+'
        GrantedAccess: '0x1418'
    filter_main_windefend_3:
        CallTrace|contains:
            - '|c:\program files\windows defender\mprtp.dll'
            - '|c:\program files\windows defender\MpClient.dll'
    filter_optional_vmwaretools:
        SourceImage|contains: ':\ProgramData\VMware\VMware Tools\'
        SourceImage|endswith: '\vmtoolsd.exe'
    filter_optional_sysinternals_process_explorer:
        SourceImage|endswith:
            - '\PROCEXP64.EXE'
            - '\PROCEXP.EXE'
        GrantedAccess: '0x40'
    filter_optional_mbami:
        SourceImage|endswith: '\MBAMInstallerService.exe'
        GrantedAccess: '0x40'
    filter_optional_nextron:
        SourceImage|endswith:
            - '\aurora-agent-64.exe'
            - '\aurora-agent.exe'
            - '\thor.exe'
            - '\thor64.exe'
        GrantedAccess: '0x40'
    filter_main_explorer:
        SourceImage|endswith: '\explorer.exe'
        GrantedAccess: '0x401'
    filter_optional_sysinternals_handle:
        SourceImage|endswith:
            - '\handle.exe'
            - '\handle64.exe'
        GrantedAccess: '0x40'
    filter_optional_webex:
        SourceImage|endswith: '\AppData\Local\WebEx\WebexHost.exe'
        GrantedAccess: '0x401'
    filter_optional_steam_apps:
        SourceImage|contains: '\SteamLibrary\steamapps\'
    condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Legitimate software such as AV and EDR
level: medium

Stages and Predicates

Stage 0: condition

all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*

Stage 1: selection_target

selection_target:
    TargetImage|endswith: '\lsass.exe'

Stage 2: selection_access

selection_access:
    - GrantedAccess|endswith:
          # - '10'  # covered in rule 678dfc63-fefb-47a5-a04c-26bcf8cc9f65
          - '30'
          - '50'
          - '70'
          - '90'
          - 'B0'
          - 'D0'
          - 'F0'
          - '18'
          - '38'
          - '58'
          - '78'
          - '98'
          - 'B8'
          - 'D8'
          - 'F8'
          - '1A'
          - '3A'
          - '5A'
          - '7A'
          - '9A'
          - 'BA'
          - 'DA'
          - 'FA'
          - '0x14C2'  # https://github.com/b4rtik/ATPMiniDump/blob/76304f93b390af3bb66e4f451ca16562a479bdc9/ATPMiniDump/ATPMiniDump.c
    - GrantedAccess|startswith:
          - '0x100000'
          - '0x1418'    # car.2019-04-004
          - '0x1438'    # car.2019-04-004
          - '0x143a'    # car.2019-04-004
          - '0x1f0fff'
          - '0x1f1fff'
          - '0x1f2fff'
          - '0x1f3fff'
          - '0x40'
          # - '0x1000'  # minimum access requirements to query basic info from service
          # - '0x1010'    # car.2019-04-004
          # - '0x1400'
          # - '0x1410'    # car.2019-04-004 # Covered by 678dfc63-fefb-47a5-a04c-26bcf8cc9f65

Stage 3: not filter_main_*

filter_main_generic:
    # When using this rule. Remove this filter and replace it by the path of the specific AV you use
    SourceImage|contains:
        - ':\Program Files (x86)\'
        - ':\Program Files\'
        - ':\Windows\System32\'
        - ':\Windows\SysWOW64\'
filter_main_windefend_1:
    SourceImage|contains: ':\ProgramData\Microsoft\Windows Defender\'
    SourceImage|endswith: '\MsMpEng.exe'
filter_main_windefend_2:
    CallTrace|contains|all:
        - '|?:\ProgramData\Microsoft\Windows Defender\Definition Updates\{'
        - '}\mpengine.dll+'
    GrantedAccess: '0x1418'
filter_main_windefend_3:
    CallTrace|contains:
        - '|c:\program files\windows defender\mprtp.dll'
        - '|c:\program files\windows defender\MpClient.dll'
filter_main_explorer:
    SourceImage|endswith: '\explorer.exe'
    GrantedAccess: '0x401'

Stage 4: not filter_optional_*

filter_optional_malwarebytes:
    SourceImage|endswith: ':\ProgramData\MALWAREBYTES\MBAMSERVICE\ctlrupdate\mbupdatr.exe'
filter_optional_vscode:
    SourceImage|endswith: '\AppData\Local\Programs\Microsoft VS Code\Code.exe'
filter_optional_vmwaretools:
    SourceImage|contains: ':\ProgramData\VMware\VMware Tools\'
    SourceImage|endswith: '\vmtoolsd.exe'
filter_optional_sysinternals_process_explorer:
    SourceImage|endswith:
        - '\PROCEXP64.EXE'
        - '\PROCEXP.EXE'
    GrantedAccess: '0x40'
filter_optional_mbami:
    SourceImage|endswith: '\MBAMInstallerService.exe'
    GrantedAccess: '0x40'
filter_optional_nextron:
    SourceImage|endswith:
        - '\aurora-agent-64.exe'
        - '\aurora-agent.exe'
        - '\thor.exe'
        - '\thor64.exe'
    GrantedAccess: '0x40'
filter_optional_sysinternals_handle:
    SourceImage|endswith:
        - '\handle.exe'
        - '\handle64.exe'
    GrantedAccess: '0x40'
filter_optional_webex:
    SourceImage|endswith: '\AppData\Local\WebEx\WebexHost.exe'
    GrantedAccess: '0x401'
filter_optional_steam_apps:
    SourceImage|contains: '\SteamLibrary\steamapps\'

Exclusions

Top-level NOT(...) conjuncts: predicates this rule actively suppresses.

StageFieldKindExcluded values
3CallTracematch|?:\ProgramData\Microsoft\Windows Defender\Definition Updates\{
3CallTracematch}\mpengine.dll+
3GrantedAccesseq0x1418
3GrantedAccesseq0x401
3SourceImageends_with\explorer.exe
3SourceImageends_with\MsMpEng.exe
3SourceImagematch:\ProgramData\Microsoft\Windows Defender\
3CallTracematch|c:\program files\windows defender\MpClient.dll
3CallTracematch|c:\program files\windows defender\mprtp.dll
3SourceImagematch:\Program Files (x86)\
3SourceImagematch:\Program Files\
3SourceImagematch:\Windows\SysWOW64\
3SourceImagematch:\Windows\System32\
4SourceImageends_with\PROCEXP.EXE
4SourceImageends_with\PROCEXP64.EXE
4GrantedAccesseq0x40
4SourceImageends_with\aurora-agent-64.exe
4SourceImageends_with\aurora-agent.exe
4SourceImageends_with\thor.exe
4SourceImageends_with\thor64.exe
4GrantedAccesseq0x40
4SourceImageends_with\handle.exe
4SourceImageends_with\handle64.exe
4GrantedAccesseq0x40
4GrantedAccesseq0x40
4SourceImageends_with\MBAMInstallerService.exe
4GrantedAccesseq0x401
4SourceImageends_with\AppData\Local\WebEx\WebexHost.exe
4SourceImageends_with\vmtoolsd.exe
4SourceImagematch:\ProgramData\VMware\VMware Tools\
4SourceImageends_with:\ProgramData\MALWAREBYTES\MBAMSERVICE\ctlrupdate\mbupdatr.exe
4SourceImageends_with\AppData\Local\Programs\Microsoft VS Code\Code.exe
4SourceImagematch\SteamLibrary\steamapps\

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
GrantedAccessends_with
  • 0x14C2 corpus 4 (sigma 4)
  • 18 corpus 4 (sigma 4)
  • 1A corpus 4 (sigma 4)
  • 30 corpus 4 (sigma 4)
  • 38 corpus 4 (sigma 4)
  • 3A corpus 4 (sigma 4)
  • 50 corpus 4 (sigma 4)
  • 58 corpus 4 (sigma 4)
  • 5A corpus 4 (sigma 4)
  • 70 corpus 4 (sigma 4)
  • 78 corpus 4 (sigma 4)
  • 7A corpus 4 (sigma 4)
  • 90 corpus 4 (sigma 4)
  • 98 corpus 4 (sigma 4)
  • 9A corpus 4 (sigma 4)
  • B0 corpus 4 (sigma 4)
  • B8 corpus 4 (sigma 4)
  • BA corpus 4 (sigma 4)
  • D0 corpus 4 (sigma 4)
  • D8 corpus 4 (sigma 4)
  • DA corpus 4 (sigma 4)
  • F0 corpus 4 (sigma 4)
  • F8 corpus 4 (sigma 4)
  • FA corpus 4 (sigma 4)
GrantedAccessstarts_with
  • 0x100000
  • 0x1418
  • 0x1438
  • 0x143a
  • 0x1f0fff
  • 0x1f1fff
  • 0x1f2fff
  • 0x1f3fff
  • 0x40
TargetImageends_with
  • \lsass.exe corpus 16 (sigma 16)