Detection rules › Sigma

Potentially Suspicious AccessMask Requested From LSASS

Status
test
Severity
medium
Author
Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update)
Source
github.com/SigmaHQ/sigma

Detects process handle on LSASS process with certain access mask

MITRE ATT&CK coverage

TacticTechniques
Credential AccessT1003.001 OS Credential Dumping: LSASS Memory

Event coverage

Rule body yaml

title: Potentially Suspicious AccessMask Requested From LSASS
id: 4a1b6da0-d94f-4fc3-98fc-2d9cb9e5ee76
status: test
description: Detects process handle on LSASS process with certain access mask
references:
    - https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
author: Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update)
date: 2019-11-01
modified: 2023-12-19
tags:
    - attack.credential-access
    - car.2019-04-004
    - attack.t1003.001
logsource:
    product: windows
    service: security
detection:
    selection_1:
        EventID: 4656 # A handle to an object was requested.
        ObjectName|endswith: '\lsass.exe'
        AccessMask|contains:
            - '0x40'
            - '0x1400'
            # - '0x1000'  # minimum access requirements to query basic info from service
            - '0x100000'
            - '0x1410'    # car.2019-04-004
            - '0x1010'    # car.2019-04-004
            - '0x1438'    # car.2019-04-004
            - '0x143a'    # car.2019-04-004
            - '0x1418'    # car.2019-04-004
            - '0x1f0fff'
            - '0x1f1fff'
            - '0x1f2fff'
            - '0x1f3fff'
    selection_2:
        EventID: 4663 # An attempt was made to access an object
        ObjectName|endswith: '\lsass.exe'
        AccessList|contains:
            - '4484'
            - '4416'
    filter_main_specific:
        ProcessName|endswith:
            - '\csrss.exe'
            - '\GamingServices.exe'
            - '\lsm.exe'
            - '\MicrosoftEdgeUpdate.exe'
            - '\minionhost.exe'  # Cyberreason
            - '\MRT.exe'         # MS Malware Removal Tool
            - '\MsMpEng.exe'     # Defender
            - '\perfmon.exe'
            - '\procexp.exe'
            - '\procexp64.exe'
            - '\svchost.exe'
            - '\taskmgr.exe'
            - '\thor.exe'        # THOR
            - '\thor64.exe'      # THOR
            - '\vmtoolsd.exe'
            - '\VsTskMgr.exe'    # McAfee Enterprise
            - '\wininit.exe'
            - '\wmiprvse.exe'
            - 'RtkAudUService64' # https://medium.com/falconforce/the-curious-case-of-realtek-and-lsass-33fc0c8482ff
        ProcessName|contains:
            - ':\Program Files (x86)\'
            - ':\Program Files\'
            - ':\ProgramData\Microsoft\Windows Defender\Platform\'
            - ':\Windows\SysNative\'
            - ':\Windows\System32\'
            - ':\Windows\SysWow64\'
            - ':\Windows\Temp\asgard2-agent\'
    filter_main_generic:
        ProcessName|contains: ':\Program Files'  # too many false positives with legitimate AV and EDR solutions
    filter_main_exact:
        ProcessName|endswith:
            - ':\Windows\System32\taskhostw.exe'
            - ':\Windows\System32\msiexec.exe'
            - ':\Windows\CCM\CcmExec.exe'
    filter_main_sysmon:
        ProcessName|endswith: ':\Windows\Sysmon64.exe'
        AccessList|contains: '%%4484'
    filter_main_aurora:
        ProcessName|contains: ':\Windows\Temp\asgard2-agent-sc\aurora\'
        ProcessName|endswith: '\aurora-agent-64.exe'
        AccessList|contains: '%%4484'
    filter_main_scenarioengine:
        # Example: C:\a70de9569c3a5aa22184ef52a890177b\x64\SCENARIOENGINE.EXE
        ProcessName|endswith: '\x64\SCENARIOENGINE.EXE'
        AccessList|contains: '%%4484'
    filter_main_avira1:
        ProcessName|contains|all:
            - ':\Users\'
            - '\AppData\Local\Temp\is-'
        ProcessName|endswith: '\avira_system_speedup.tmp'
        AccessList|contains: '%%4484'
    filter_main_avira2:
        ProcessName|contains: ':\Windows\Temp\'
        ProcessName|endswith: '\avira_speedup_setup_update.tmp'
        AccessList|contains: '%%4484'
    filter_main_snmp:
        ProcessName|endswith: ':\Windows\System32\snmp.exe'
        AccessList|contains: '%%4484'
    filter_main_googleupdate:
        ProcessName|contains: ':\Windows\SystemTemp\'
        ProcessName|endswith: '\GoogleUpdate.exe'
        AccessList|contains: '%%4484'
    filter_optional_procmon:
        ProcessName|endswith:
            - '\procmon64.exe'
            - '\procmon.exe'
        AccessList|contains: '%%4484'
    condition: 1 of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Legitimate software accessing LSASS process for legitimate reason; update the whitelist with it
level: medium

Stages and Predicates

Stage 0: condition

1 of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*

Stage 1: selection_1

selection_1:
    EventID: 4656 # A handle to an object was requested.
    ObjectName|endswith: '\lsass.exe'
    AccessMask|contains:
        - '0x40'
        - '0x1400'
        # - '0x1000'  # minimum access requirements to query basic info from service
        - '0x100000'
        - '0x1410'    # car.2019-04-004
        - '0x1010'    # car.2019-04-004
        - '0x1438'    # car.2019-04-004
        - '0x143a'    # car.2019-04-004
        - '0x1418'    # car.2019-04-004
        - '0x1f0fff'
        - '0x1f1fff'
        - '0x1f2fff'
        - '0x1f3fff'

Stage 2: selection_2

selection_2:
    EventID: 4663 # An attempt was made to access an object
    ObjectName|endswith: '\lsass.exe'
    AccessList|contains:
        - '4484'
        - '4416'

Stage 3: not filter_main_*

filter_main_specific:
    ProcessName|endswith:
        - '\csrss.exe'
        - '\GamingServices.exe'
        - '\lsm.exe'
        - '\MicrosoftEdgeUpdate.exe'
        - '\minionhost.exe'  # Cyberreason
        - '\MRT.exe'         # MS Malware Removal Tool
        - '\MsMpEng.exe'     # Defender
        - '\perfmon.exe'
        - '\procexp.exe'
        - '\procexp64.exe'
        - '\svchost.exe'
        - '\taskmgr.exe'
        - '\thor.exe'        # THOR
        - '\thor64.exe'      # THOR
        - '\vmtoolsd.exe'
        - '\VsTskMgr.exe'    # McAfee Enterprise
        - '\wininit.exe'
        - '\wmiprvse.exe'
        - 'RtkAudUService64' # https://medium.com/falconforce/the-curious-case-of-realtek-and-lsass-33fc0c8482ff
    ProcessName|contains:
        - ':\Program Files (x86)\'
        - ':\Program Files\'
        - ':\ProgramData\Microsoft\Windows Defender\Platform\'
        - ':\Windows\SysNative\'
        - ':\Windows\System32\'
        - ':\Windows\SysWow64\'
        - ':\Windows\Temp\asgard2-agent\'
filter_main_generic:
    ProcessName|contains: ':\Program Files'  # too many false positives with legitimate AV and EDR solutions
filter_main_exact:
    ProcessName|endswith:
        - ':\Windows\System32\taskhostw.exe'
        - ':\Windows\System32\msiexec.exe'
        - ':\Windows\CCM\CcmExec.exe'
filter_main_sysmon:
    ProcessName|endswith: ':\Windows\Sysmon64.exe'
    AccessList|contains: '%%4484'
filter_main_aurora:
    ProcessName|contains: ':\Windows\Temp\asgard2-agent-sc\aurora\'
    ProcessName|endswith: '\aurora-agent-64.exe'
    AccessList|contains: '%%4484'
filter_main_scenarioengine:
    # Example: C:\a70de9569c3a5aa22184ef52a890177b\x64\SCENARIOENGINE.EXE
    ProcessName|endswith: '\x64\SCENARIOENGINE.EXE'
    AccessList|contains: '%%4484'
filter_main_avira1:
    ProcessName|contains|all:
        - ':\Users\'
        - '\AppData\Local\Temp\is-'
    ProcessName|endswith: '\avira_system_speedup.tmp'
    AccessList|contains: '%%4484'
filter_main_avira2:
    ProcessName|contains: ':\Windows\Temp\'
    ProcessName|endswith: '\avira_speedup_setup_update.tmp'
    AccessList|contains: '%%4484'
filter_main_snmp:
    ProcessName|endswith: ':\Windows\System32\snmp.exe'
    AccessList|contains: '%%4484'
filter_main_googleupdate:
    ProcessName|contains: ':\Windows\SystemTemp\'
    ProcessName|endswith: '\GoogleUpdate.exe'
    AccessList|contains: '%%4484'

Stage 4: not filter_optional_procmon

filter_optional_procmon:
    ProcessName|endswith:
        - '\procmon64.exe'
        - '\procmon.exe'
    AccessList|contains: '%%4484'

Exclusions

Top-level NOT(...) conjuncts: predicates this rule actively suppresses.

StageFieldKindExcluded values
3ProcessNameends_withRtkAudUService64
3ProcessNameends_with\GamingServices.exe
3ProcessNameends_with\MRT.exe
3ProcessNameends_with\MicrosoftEdgeUpdate.exe
3ProcessNameends_with\MsMpEng.exe
3ProcessNameends_with\VsTskMgr.exe
3ProcessNameends_with\csrss.exe
3ProcessNameends_with\lsm.exe
3ProcessNameends_with\minionhost.exe
3ProcessNameends_with\perfmon.exe
3ProcessNameends_with\procexp.exe
3ProcessNameends_with\procexp64.exe
3ProcessNameends_with\svchost.exe
3ProcessNameends_with\taskmgr.exe
3ProcessNameends_with\thor.exe
3ProcessNameends_with\thor64.exe
3ProcessNameends_with\vmtoolsd.exe
3ProcessNameends_with\wininit.exe
3ProcessNameends_with\wmiprvse.exe
3ProcessNamematch:\Program Files (x86)\
3ProcessNamematch:\Program Files\
3ProcessNamematch:\ProgramData\Microsoft\Windows Defender\Platform\
3ProcessNamematch:\Windows\SysNative\
3ProcessNamematch:\Windows\SysWow64\
3ProcessNamematch:\Windows\System32\
3ProcessNamematch:\Windows\Temp\asgard2-agent\
3AccessListmatch%%4484
3ProcessNameends_with:\Windows\Sysmon64.exe
3AccessListmatch%%4484
3ProcessNameends_with:\Windows\System32\snmp.exe
3AccessListmatch%%4484
3ProcessNameends_with\GoogleUpdate.exe
3ProcessNamematch:\Windows\SystemTemp\
3AccessListmatch%%4484
3ProcessNameends_with\aurora-agent-64.exe
3ProcessNamematch:\Windows\Temp\asgard2-agent-sc\aurora\
3AccessListmatch%%4484
3ProcessNameends_with\avira_speedup_setup_update.tmp
3ProcessNamematch:\Windows\Temp\
3AccessListmatch%%4484
3ProcessNameends_with\avira_system_speedup.tmp
3ProcessNamematch:\Users\
3ProcessNamematch\AppData\Local\Temp\is-
3AccessListmatch%%4484
3ProcessNameends_with\x64\SCENARIOENGINE.EXE
3ProcessNameends_with:\Windows\CCM\CcmExec.exe
3ProcessNameends_with:\Windows\System32\msiexec.exe
3ProcessNameends_with:\Windows\System32\taskhostw.exe
3ProcessNamematch:\Program Files
4ProcessNameends_with\procmon.exe
4ProcessNameends_with\procmon64.exe
4AccessListmatch%%4484

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
AccessListmatch
  • 4416
  • 4484
AccessMaskmatch
  • 0x100000
  • 0x1010
  • 0x1400
  • 0x1410
  • 0x1418
  • 0x1438
  • 0x143a
  • 0x1f0fff
  • 0x1f1fff
  • 0x1f2fff
  • 0x1f3fff
  • 0x40
ObjectNameends_with
  • \lsass.exe corpus 4 (sigma 4)