Detection rules › Sigma
Potentially Suspicious GrantedAccess Flags On LSASS
Detects process access requests to LSASS process with potentially suspicious access flags
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Credential Access | T1003.001 OS Credential Dumping: LSASS Memory |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 10 | ProcessAccess |
Stages and Predicates
Stage 1: all of selection_target
TargetImage|endswith: '\lsass.exe'
Stage 2: all of selection_access
or:
GrantedAccess|endswith: 0x14C2
GrantedAccess|endswith: 18
GrantedAccess|endswith: 1A
GrantedAccess|endswith: 30
GrantedAccess|endswith: 38
GrantedAccess|endswith: 3A
GrantedAccess|endswith: 50
GrantedAccess|endswith: 58
GrantedAccess|endswith: 5A
GrantedAccess|endswith: 70
GrantedAccess|endswith: 78
GrantedAccess|endswith: 7A
GrantedAccess|endswith: 90
GrantedAccess|endswith: 98
GrantedAccess|endswith: 9A
GrantedAccess|endswith: B0
GrantedAccess|endswith: B8
GrantedAccess|endswith: BA
GrantedAccess|endswith: D0
GrantedAccess|endswith: D8
GrantedAccess|endswith: DA
GrantedAccess|endswith: F0
GrantedAccess|endswith: F8
GrantedAccess|endswith: FA
GrantedAccess|startswith: 0x100000
GrantedAccess|startswith: 0x1418
GrantedAccess|startswith: 0x1438
GrantedAccess|startswith: 0x143a
GrantedAccess|startswith: 0x1f0fff
GrantedAccess|startswith: 0x1f1fff
GrantedAccess|startswith: 0x1f2fff
GrantedAccess|startswith: 0x1f3fff
GrantedAccess|startswith: 0x40
Stage 3: not 1 of filter_main_*
or:
CallTrace|contains: '|?:\ProgramData\Microsoft\Windows Defender\Definition Updates\{'
CallTrace|contains: '}\mpengine.dll+'
GrantedAccess: 0x1418
GrantedAccess: 0x401
SourceImage|endswith: '\explorer.exe'
SourceImage|endswith: '\MsMpEng.exe'
SourceImage|contains: ':\ProgramData\Microsoft\Windows Defender\'
CallTrace|contains: '|c:\program files\windows defender\MpClient.dll'
CallTrace|contains: '|c:\program files\windows defender\mprtp.dll'
SourceImage|contains: ':\Program Files (x86)\'
SourceImage|contains: ':\Program Files\'
SourceImage|contains: ':\Windows\SysWOW64\'
SourceImage|contains: ':\Windows\System32\'
Stage 4: not 1 of filter_optional_*
or:
or:
SourceImage|endswith: '\PROCEXP.EXE'
SourceImage|endswith: '\PROCEXP64.EXE'
GrantedAccess: 0x40
or:
SourceImage|endswith: '\aurora-agent-64.exe'
SourceImage|endswith: '\aurora-agent.exe'
SourceImage|endswith: '\thor.exe'
SourceImage|endswith: '\thor64.exe'
GrantedAccess: 0x40
or:
SourceImage|endswith: '\handle.exe'
SourceImage|endswith: '\handle64.exe'
GrantedAccess: 0x40
GrantedAccess: 0x40
SourceImage|endswith: '\MBAMInstallerService.exe'
GrantedAccess: 0x401
SourceImage|endswith: '\AppData\Local\WebEx\WebexHost.exe'
SourceImage|endswith: '\vmtoolsd.exe'
SourceImage|contains: ':\ProgramData\VMware\VMware Tools\'
SourceImage|endswith: ':\ProgramData\MALWAREBYTES\MBAMSERVICE\ctlrupdate\mbupdatr.exe'
SourceImage|endswith: '\AppData\Local\Programs\Microsoft VS Code\Code.exe'
SourceImage|contains: '\SteamLibrary\steamapps\'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
CallTrace | match |
|
GrantedAccess | ends_with |
|
GrantedAccess | eq |
|
GrantedAccess | starts_with |
|
SourceImage | ends_with |
|
SourceImage | match |
|
TargetImage | ends_with |
|
Neighbors
Stricter alternatives (narrower than this rule)
The rules below may be useful if you find the current rule is too noisy / lacks specificity.
- Credential Dumping Activity By Python Based Tool (adds 5 filters)
- HackTool - HandleKatz Duplicating LSASS Handle (adds 4 filters)
- Suspicious LSASS Access Via MalSecLogon (adds 3 filters)
- Lsass Memory Dump via Comsvcs DLL (adds 2 filters)
- LSASS Memory Access by Tool With Dump Keyword In Name (adds 2 filters)
- Potential Credential Dumping Activity Via LSASS (adds 2 filters)
- Credential Dumping Attempt Via WerFault (adds 2 filters)
- LSASS Access From Potentially White-Listed Processes (adds 2 filters)
- Remote LSASS Process Access Through Windows Remote Management (adds 1 filter)
- Suspicious Process Access to LSASS with Dbgcore/Dbghelp DLLs (adds 1 filter)