Detection rules › Splunk
Windows Hunting System Account Targeting Lsass
The following analytic identifies processes attempting to access Lsass.exe, which may indicate credential dumping or applications needing credential access. It leverages Sysmon EventCode 10 to detect such activities by analyzing fields like TargetImage, GrantedAccess, and SourceImage. This behavior is significant as unauthorized access to Lsass.exe can lead to credential theft, posing a severe security risk. If confirmed malicious, attackers could gain access to sensitive credentials, potentially leading to privilege escalation and further compromise of the environment.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Credential Access | T1003.001 OS Credential Dumping: LSASS Memory |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 10 | ProcessAccess |
Stages and Predicates
Stage 1: search
search EventCode=10 TargetImage="*lsass.exe"
Stage 2: stats
stats BY CallTrace, EventID, GrantedAccess, Guid, Opcode, ProcessID, SecurityID, SourceImage, SourceProcessGUID, SourceProcessId, TargetImage, TargetProcessGUID, TargetProcessId, UserID, dest, granted_access, parent_process_exec, parent_process_guid, parent_process_id, parent_process_name, parent_process_path, process_exec, process_guid, process_id, process_name, process_path, signature, signature_id, user_id, vendor_product
Stage 3: search
search
Stage 4: search
search
Stage 5: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
TargetImage | eq |
|
Neighbors
Stricter alternatives (narrower than this rule)
The rules below may be useful if you find the current rule is too noisy / lacks specificity.
- Access LSASS Memory for Dump Creation (adds 1 filter)
- Detect Credential Dumping through LSASS access (adds 1 filter)
- Windows Non-System Account Targeting Lsass (adds 1 filter)
- Windows Terminating Lsass Process (adds 1 filter)