detection.wiki

Detection rules › Sigma

Potentially Suspicious AccessMask Requested From LSASS

Severity
medium
Author
Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update)
Source
upstream

Detects process handle on LSASS process with certain access mask

MITRE ATT&CK coverage

TacticTechniques
Credential AccessT1003.001 OS Credential Dumping: LSASS Memory

Event coverage

ProviderEvent IDTitle
Security-Auditing4656A handle to an object was requested.
Security-Auditing4663An attempt was made to access an object.

Stages and Predicates

Stage 1: 1 of selection_1

or:
AccessMask|contains: 0x100000
AccessMask|contains: 0x1010
AccessMask|contains: 0x1400
AccessMask|contains: 0x1410
AccessMask|contains: 0x1418
AccessMask|contains: 0x1438
AccessMask|contains: 0x143a
AccessMask|contains: 0x1f0fff
AccessMask|contains: 0x1f1fff
AccessMask|contains: 0x1f2fff
AccessMask|contains: 0x1f3fff
AccessMask|contains: 0x40
ObjectName|endswith: '\lsass.exe'

Stage 2: 1 of selection_2

or:
AccessList|contains: 4416
AccessList|contains: 4484
ObjectName|endswith: '\lsass.exe'

Stage 3: not 1 of filter_main_*

or:
or:
ProcessName|endswith: RtkAudUService64
ProcessName|endswith: '\GamingServices.exe'
ProcessName|endswith: '\MRT.exe'
ProcessName|endswith: '\MicrosoftEdgeUpdate.exe'
ProcessName|endswith: '\MsMpEng.exe'
ProcessName|endswith: '\VsTskMgr.exe'
ProcessName|endswith: '\csrss.exe'
ProcessName|endswith: '\lsm.exe'
ProcessName|endswith: '\minionhost.exe'
ProcessName|endswith: '\perfmon.exe'
ProcessName|endswith: '\procexp.exe'
ProcessName|endswith: '\procexp64.exe'
ProcessName|endswith: '\svchost.exe'
ProcessName|endswith: '\taskmgr.exe'
ProcessName|endswith: '\thor.exe'
ProcessName|endswith: '\thor64.exe'
ProcessName|endswith: '\vmtoolsd.exe'
ProcessName|endswith: '\wininit.exe'
ProcessName|endswith: '\wmiprvse.exe'
or:
ProcessName|contains: ':\Program Files (x86)\'
ProcessName|contains: ':\Program Files\'
ProcessName|contains: ':\ProgramData\Microsoft\Windows Defender\Platform\'
ProcessName|contains: ':\Windows\SysNative\'
ProcessName|contains: ':\Windows\SysWow64\'
ProcessName|contains: ':\Windows\System32\'
ProcessName|contains: ':\Windows\Temp\asgard2-agent\'
AccessList|contains: '%%4484'
ProcessName|endswith: ':\Windows\Sysmon64.exe'
AccessList|contains: '%%4484'
ProcessName|endswith: ':\Windows\System32\snmp.exe'
AccessList|contains: '%%4484'
ProcessName|endswith: '\GoogleUpdate.exe'
ProcessName|contains: ':\Windows\SystemTemp\'
AccessList|contains: '%%4484'
ProcessName|endswith: '\aurora-agent-64.exe'
ProcessName|contains: ':\Windows\Temp\asgard2-agent-sc\aurora\'
AccessList|contains: '%%4484'
ProcessName|endswith: '\avira_speedup_setup_update.tmp'
ProcessName|contains: ':\Windows\Temp\'
AccessList|contains: '%%4484'
ProcessName|endswith: '\avira_system_speedup.tmp'
ProcessName|contains: ':\Users\'
ProcessName|contains: '\AppData\Local\Temp\is-'
AccessList|contains: '%%4484'
ProcessName|endswith: '\x64\SCENARIOENGINE.EXE'
ProcessName|endswith: ':\Windows\CCM\CcmExec.exe'
ProcessName|endswith: ':\Windows\System32\msiexec.exe'
ProcessName|endswith: ':\Windows\System32\taskhostw.exe'
ProcessName|contains: ':\Program Files'

Stage 4: not 1 of filter_optional_procmon

or:
ProcessName|endswith: '\procmon.exe'
ProcessName|endswith: '\procmon64.exe'
AccessList|contains: '%%4484'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
AccessListmatch
  • %%4484
  • 4416
  • 4484
AccessMaskmatch
  • 0x100000
  • 0x1010
  • 0x1400
  • 0x1410
  • 0x1418
  • 0x1438
  • 0x143a
  • 0x1f0fff
  • 0x1f1fff
  • 0x1f2fff
  • 0x1f3fff
  • 0x40
ObjectNameends_with
  • \lsass.exe corpus 2 (sigma 2)
ProcessNameends_with
  • :\Windows\CCM\CcmExec.exe
  • :\Windows\Sysmon64.exe
  • :\Windows\System32\msiexec.exe
  • :\Windows\System32\snmp.exe
  • :\Windows\System32\taskhostw.exe
  • RtkAudUService64
  • \GamingServices.exe
  • \GoogleUpdate.exe
  • \MRT.exe
  • \MicrosoftEdgeUpdate.exe
  • \MsMpEng.exe
  • \VsTskMgr.exe
  • \aurora-agent-64.exe
  • \avira_speedup_setup_update.tmp
  • \avira_system_speedup.tmp
  • \csrss.exe
  • \lsm.exe
  • \minionhost.exe
  • \perfmon.exe
  • \procexp.exe corpus 2 (sigma 2)
  • \procexp64.exe corpus 2 (sigma 2)
  • \procmon.exe corpus 2 (sigma 2)
  • \procmon64.exe corpus 2 (sigma 2)
  • \svchost.exe
  • \taskmgr.exe
  • \thor.exe corpus 2 (sigma 2)
  • \thor64.exe corpus 2 (sigma 2)
  • \vmtoolsd.exe
  • \wininit.exe
  • \wmiprvse.exe corpus 2 (sigma 2)
  • \x64\SCENARIOENGINE.EXE
ProcessNamematch
  • :\Program Files
  • :\Program Files (x86)\ corpus 2 (sigma 2)
  • :\Program Files\ corpus 2 (sigma 2)
  • :\ProgramData\Microsoft\Windows Defender\Platform\
  • :\Users\
  • :\Windows\SysNative\
  • :\Windows\SysWow64\
  • :\Windows\System32\
  • :\Windows\SystemTemp\
  • :\Windows\Temp\
  • :\Windows\Temp\asgard2-agent-sc\aurora\
  • :\Windows\Temp\asgard2-agent\
  • \AppData\Local\Temp\is-

Neighbors

Often fire together

Rules that target events appearing in the same incident timelines. They pattern-match on adjacent steps of the same TTP, so an alert from one is often paired with alerts from these. Useful for triage context and for assembling chained-detection rules.

Share event IDs (chain-detection candidates)

Rules that observe the same Windows event-ID pairs as this one. If you're authoring a multi-stage / sequence rule that spans these events, these are the existing detections that already cover one or both endpoints.