LSASS Access From Non System Account

Severity: medium
Author: Roberto Rodriguez @Cyb3rWard0g
Source: upstream

Detects potential mimikatz-like tools accessing LSASS from non system account

MITRE ATT&CK coverage

Tactic	Techniques
Credential Access	`T1003.001` OS Credential Dumping: LSASS Memory

Event coverage

Provider	Event ID	Title
Security-Auditing	4656	A handle to an object was requested.
Security-Auditing	4663	An attempt was made to access an object.

Stages and Predicates

Stage 1: `selection`

AccessMask: [0x100000, 0x1010, 0x1400, 0x1410, 0x1418, 0x1438, 0x143a, 0x1f0fff, 0x1f1fff, 0x1f2fff, 0x1f3fff, 0x40, 143a, 1f0fff, 1f1fff, 1f2fff, 1f3fff]
ObjectName|endswith: '\lsass.exe'
ObjectType: Process

Stage 2: `not 1 of filter_main_*`

or:
AccessMask: 0x1410
ProcessName: 'C:\Windows\System32\wbem\WmiPrvSE.exe'
ProcessName|contains: ':\Program Files (x86)\'
ProcessName|contains: ':\Program Files\'
SubjectUserName|endswith: '$'

Stage 3: `not 1 of filter_optional_steam`

ProcessName|contains: '\SteamLibrary\steamapps\'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`AccessMask`	eq	`0x100000` `0x1010` `0x1400` `0x1410` `0x1418` `0x1438` `0x143a` `0x1f0fff` `0x1f1fff` `0x1f2fff` `0x1f3fff` `0x40` `143a` `1f0fff` `1f1fff` `1f2fff` `1f3fff`
`ObjectName`	ends_with	`\lsass.exe` corpus 2 (sigma 2)
`ObjectType`	eq	`Process`
`ProcessName`	eq	`C:\Windows\System32\wbem\WmiPrvSE.exe` corpus 2 (sigma 2)
`ProcessName`	match	`:\Program Files (x86)\` corpus 2 (sigma 2) `:\Program Files\` corpus 2 (sigma 2) `\SteamLibrary\steamapps\`
`SubjectUserName`	ends_with	`$` corpus 18 (sigma 14, elastic 4)

Neighbors

Often fire together

Rules that target events appearing in the same incident timelines. They pattern-match on adjacent steps of the same TTP, so an alert from one is often paired with alerts from these. Useful for triage context and for assembling chained-detection rules.

Azure AD Health Monitoring Agent Registry Keys Access [sigma]
Azure AD Health Service Agents Registry Keys Access [sigma]
Processes Accessing the Microphone and Webcam [sigma]
WCE wceaux.dll Access [sigma]
Potential Secure Deletion with SDelete [sigma]
Potentially Suspicious AccessMask Requested From LSASS [sigma]
SysKey Registry Keys Access [sigma]
Sysmon Channel Reference Deletion [sigma]

Share event IDs (chain-detection candidates)

Rules that observe the same Windows event-ID pairs as this one. If you're authoring a multi-stage / sequence rule that spans these events, these are the existing detections that already cover one or both endpoints.

Azure AD Health Monitoring Agent Registry Keys Access [sigma]
Azure AD Health Service Agents Registry Keys Access [sigma]
Processes Accessing the Microphone and Webcam [sigma]
WCE wceaux.dll Access [sigma]
Potential Secure Deletion with SDelete [sigma]
Potentially Suspicious AccessMask Requested From LSASS [sigma]
SysKey Registry Keys Access [sigma]
Windows Defender Exclusion Registry Key - Write Access Requested [sigma]