SigmaHQ/rules/windows/builtin/win_alert_lsass_access.yml

title: LSASS Access Detected via Attack Surface Reduction
id: a0a278fe-2c0e-4de2-ac3c-c68b08a9ba98
description: Detects Access to LSASS Process
status: experimental
references:
    - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard?WT.mc_id=twitter
author: Markus Neis
date: 2018/08/26
tags:
    - attack.credential_access
    - attack.t1003          # an old one
# Defender Attack Surface Reduction
    - attack.t1003.001
logsource:
    product: windows_defender
    definition: 'Requirements:Enabled Block credential stealing from the Windows local security authority subsystem (lsass.exe) from Attack Surface Reduction (GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2)'
detection:
    selection:
        EventID: 1121
        Path|endswith: '\lsass.exe'
    condition: selection
falsepositives:
    - Google Chrome GoogleUpdate.exe
    - Some Taskmgr.exe related activity
level: high
Unified line terminators of rules to Unix 2019-11-12 22:05:36 +00:00			`title: LSASS Access Detected via Attack Surface Reduction`
Added UUIDs to rules 2019-11-12 22:12:27 +00:00			`id: a0a278fe-2c0e-4de2-ac3c-c68b08a9ba98`
Unified line terminators of rules to Unix 2019-11-12 22:05:36 +00:00			`description: Detects Access to LSASS Process`
			`status: experimental`
			`references:`
			`- https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard?WT.mc_id=twitter`
			`author: Markus Neis`
			`date: 2018/08/26`
			`tags:`
			`- attack.credential_access`
att&ck tags review: windows/builtin, windows/driver_load, windows/file_event, windows/image_load, windows/other 2020-08-24 23:09:17 +00:00			`- attack.t1003 # an old one`
Unified line terminators of rules to Unix 2019-11-12 22:05:36 +00:00			`# Defender Attack Surface Reduction`
Initial round of subtechnique updates 2020-06-16 20:46:08 +00:00			`- attack.t1003.001`
Unified line terminators of rules to Unix 2019-11-12 22:05:36 +00:00			`logsource:`
			`product: windows_defender`
			`definition: 'Requirements:Enabled Block credential stealing from the Windows local security authority subsystem (lsass.exe) from Attack Surface Reduction (GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2)'`
			`detection:`
			`selection:`
			`EventID: 1121`
Update win_alert_lsass_access.yml Getting rid of '*' use 2020-10-15 18:09:35 +00:00			`Path\|endswith: '\lsass.exe'`
Unified line terminators of rules to Unix 2019-11-12 22:05:36 +00:00			`condition: selection`
			`falsepositives:`
			`- Google Chrome GoogleUpdate.exe`
			`- Some Taskmgr.exe related activity`
			`level: high`