Detection rules › Sigma
LSASS Access Detected via Attack Surface Reduction
Detects Access to LSASS Process
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Credential Access | T1003.001 OS Credential Dumping: LSASS Memory |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Windows-Defender | 1121 |
Stages and Predicates
Stage 1: selection
Path|endswith: '\lsass.exe'
Stage 2: not 1 of filter_*
or:
or:
ProcessName|endswith: '\thor.exe'
ProcessName|endswith: '\thor64.exe'
ProcessName|startswith: 'C:\Windows\Temp\asgard2-agent\'
ProcessName: 'C:\Windows\SysWOW64\msiexec.exe'
ProcessName: 'C:\Windows\System32\CompatTelRunner.exe'
ProcessName: 'C:\Windows\System32\Taskmgr.exe'
ProcessName: 'C:\Windows\System32\atiesrxx.exe'
ProcessName: 'C:\Windows\System32\msiexec.exe'
ProcessName: 'C:\Windows\System32\nvwmi64.exe'
ProcessName: 'C:\Windows\System32\svchost.exe'
ProcessName: 'C:\Windows\System32\wbem\WmiPrvSE.exe'
ProcessName|startswith: 'C:\Program Files (x86)\'
ProcessName|startswith: 'C:\Program Files\'
ProcessName|startswith: 'C:\WINDOWS\Installer\'
ProcessName|startswith: 'C:\Windows\System32\DriverStore\'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Path | ends_with |
|
ProcessName | ends_with |
|
ProcessName | eq |
|
ProcessName | starts_with |
|