SigmaHQ/rules/windows/builtin/win_susp_lsass_dump_generic.yml

title: Generic Password Dumper Activity on LSASS
description: Detects process handle on LSASS process with certain access mask
status: experimental
author: Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, oscd.community (update)
date: 2019/11/01
references:
    - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
tags:
    - attack.credential_access
    - attack.t1003
    - car.2019-04-004
logsource:
    product: windows
    service: security
detection:
    selection_1:
        EventID: 4656
        ObjectName: '*\lsass.exe'
        AccessMask|contains:
            - '0x40'
            - '0x1400'
            - '0x1000'
            - '0x100000'
            - '0x1410'    # car.2019-04-004
            - '0x1010'    # car.2019-04-004
            - '0x1438'    # car.2019-04-004
            - '0x143a'    # car.2019-04-004
            - '0x1418'    # car.2019-04-004
    selection_2:
        EventID: 4663
        ObjectName: '*\lsass.exe'
        AccessList|contains:
            - '4484'
            - '4416'
    filter:
        ProcessName: 
            - '*\wmiprvse.exe'
            - '*\taskmgr.exe'
            - '*\procexp64.exe'
            - '*\procexp.exe'
            - '*\lsm.exe'
            - '*\csrss.exe'
            - '*\wininit.exe'
            - '*\vmtoolsd.exe'
    condition: selection_1 or selection_2 and not filter
falsepositives:
    - Legitimate software accessing LSASS process for legitimate reason; update the whitelist with it
level: high
oscd task #2 completed - new rules: + rules/windows/builtin/win_susp_lsass_dump_generic.yml + rules/windows/builtin/win_transferring_files_with_credential_data_via_ne twork_shares.yml + rules/windows/builtin/win_remote_registry_management_using_reg_utility.y ml + rules/windows/sysmon/sysmon_unsigned_image_loaded_into_lsass.yml + rules/windows/sysmon/sysmon_lsass_memory_dump_file_creation.yml + rules/windows/sysmon/sysmon_raw_disk_access_using_illegitimate_tools.yml + rules/windows/sysmon/sysmon_cred_dump_tools_dropped_files.yml + rules/windows/sysmon/sysmon_cred_dump_tools_named_pipes.yml + rules/windows/process_creation/process_creation_shadow_copies_creation.y ml + rules/windows/process_creation/process_creation_shadow_copies_deletion.y ml + rules/windows/process_creation/process_creation_copying_sensitive_files_ with_credential_data.yml + rules/windows/process_creation/process_creation_shadow_copies_access_sym link.yml + rules/windows/process_creation/process_creation_grabbing_sensitive_hives _via_reg.yml + rules/windows/process_creation/process_creation_mimikatz_command_line.ym l + rules/windows/unsupported_logic/builtin/dumping_ntds.dit_via_dcsync.yml + rules/windows/unsupported_logic/builtin/dumping_ntds.dit_via_netsync.yml .yml - updated rules: + rules/windows/builtin/win_susp_raccess_sensitive_fext.yml + rules/windows/builtin/win_mal_creddumper.yml + rules/windows/builtin/win_mal_service_installs.yml + rules/windows/process_creation/win_susp_process_creations.yml + rules/windows/sysmon/sysmon_powershell_exploit_scripts.yml + rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml - deprecated rules: + rules/windows/process_creation/win_susp_vssadmin_ntds_activity.yml 2019-11-04 01:26:34 +00:00			`title: Generic Password Dumper Activity on LSASS`
			`description: Detects process handle on LSASS process with certain access mask`
			`status: experimental`
			`author: Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, oscd.community (update)`
			`date: 2019/11/01`
			`references:`
			`- https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html`
			`- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment`
			`tags:`
			`- attack.credential_access`
			`- attack.t1003`
			`- car.2019-04-004`
			`logsource:`
			`product: windows`
			`service: security`
			`detection:`
			`selection_1:`
			`EventID: 4656`
			`ObjectName: '*\lsass.exe'`
			`AccessMask\|contains:`
			`- '0x40'`
			`- '0x1400'`
			`- '0x1000'`
			`- '0x100000'`
			`- '0x1410' # car.2019-04-004`
			`- '0x1010' # car.2019-04-004`
			`- '0x1438' # car.2019-04-004`
			`- '0x143a' # car.2019-04-004`
			`- '0x1418' # car.2019-04-004`
			`selection_2:`
			`EventID: 4663`
			`ObjectName: '*\lsass.exe'`
			`AccessList\|contains:`
			`- '4484'`
			`- '4416'`
			`filter:`
			`ProcessName:`
			`- '*\wmiprvse.exe'`
			`- '*\taskmgr.exe'`
			`- '*\procexp64.exe'`
			`- '*\procexp.exe'`
			`- '*\lsm.exe'`
			`- '*\csrss.exe'`
			`- '*\wininit.exe'`
			`- '*\vmtoolsd.exe'`
			`condition: selection_1 or selection_2 and not filter`
			`falsepositives:`
			`- Legitimate software accessing LSASS process for legitimate reason; update the whitelist with it`
			`level: high`