EXPLORE
Sign In
← Back to Explore
sigmamediumHunting

Potentially Suspicious AccessMask Requested From LSASS

Detects process handle on LSASS process with certain access mask

MITRE ATT&CK

T1003.001
credential-access

Detection Query

selection_1:
  EventID: 4656
  ObjectName|endswith: \lsass.exe
  AccessMask|contains:
    - "0x40"
    - "0x1400"
    - "0x100000"
    - "0x1410"
    - "0x1010"
    - "0x1438"
    - "0x143a"
    - "0x1418"
    - "0x1f0fff"
    - "0x1f1fff"
    - "0x1f2fff"
    - "0x1f3fff"
selection_2:
  EventID: 4663
  ObjectName|endswith: \lsass.exe
  AccessList|contains:
    - "4484"
    - "4416"
filter_main_specific:
  ProcessName|endswith:
    - \csrss.exe
    - \GamingServices.exe
    - \lsm.exe
    - \MicrosoftEdgeUpdate.exe
    - \minionhost.exe
    - \MRT.exe
    - \MsMpEng.exe
    - \perfmon.exe
    - \procexp.exe
    - \procexp64.exe
    - \svchost.exe
    - \taskmgr.exe
    - \thor.exe
    - \thor64.exe
    - \vmtoolsd.exe
    - \VsTskMgr.exe
    - \wininit.exe
    - \wmiprvse.exe
    - RtkAudUService64
  ProcessName|contains:
    - :\Program Files (x86)\
    - :\Program Files\
    - :\ProgramData\Microsoft\Windows Defender\Platform\
    - :\Windows\SysNative\
    - :\Windows\System32\
    - :\Windows\SysWow64\
    - :\Windows\Temp\asgard2-agent\
filter_main_generic:
  ProcessName|contains: :\Program Files
filter_main_exact:
  ProcessName|endswith:
    - :\Windows\System32\taskhostw.exe
    - :\Windows\System32\msiexec.exe
    - :\Windows\CCM\CcmExec.exe
filter_main_sysmon:
  ProcessName|endswith: :\Windows\Sysmon64.exe
  AccessList|contains: "%%4484"
filter_main_aurora:
  ProcessName|contains: :\Windows\Temp\asgard2-agent-sc\aurora\
  ProcessName|endswith: \aurora-agent-64.exe
  AccessList|contains: "%%4484"
filter_main_scenarioengine:
  ProcessName|endswith: \x64\SCENARIOENGINE.EXE
  AccessList|contains: "%%4484"
filter_main_avira1:
  ProcessName|contains|all:
    - :\Users\
    - \AppData\Local\Temp\is-
  ProcessName|endswith: \avira_system_speedup.tmp
  AccessList|contains: "%%4484"
filter_main_avira2:
  ProcessName|contains: :\Windows\Temp\
  ProcessName|endswith: \avira_speedup_setup_update.tmp
  AccessList|contains: "%%4484"
filter_main_snmp:
  ProcessName|endswith: :\Windows\System32\snmp.exe
  AccessList|contains: "%%4484"
filter_main_googleupdate:
  ProcessName|contains: :\Windows\SystemTemp\
  ProcessName|endswith: \GoogleUpdate.exe
  AccessList|contains: "%%4484"
filter_optional_procmon:
  ProcessName|endswith:
    - \procmon64.exe
    - \procmon.exe
  AccessList|contains: "%%4484"
condition: 1 of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*

Author

Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update)

Created

2019-11-01

Data Sources

windowssecurity

Platforms

windows

References

Tags

attack.credential-accesscar.2019-04-004attack.t1003.001
Raw Content
title: Potentially Suspicious AccessMask Requested From LSASS
id: 4a1b6da0-d94f-4fc3-98fc-2d9cb9e5ee76
status: test
description: Detects process handle on LSASS process with certain access mask
references:
    - https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
author: Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update)
date: 2019-11-01
modified: 2023-12-19
tags:
    - attack.credential-access
    - car.2019-04-004
    - attack.t1003.001
logsource:
    product: windows
    service: security
detection:
    selection_1:
        EventID: 4656 # A handle to an object was requested.
        ObjectName|endswith: '\lsass.exe'
        AccessMask|contains:
            - '0x40'
            - '0x1400'
            # - '0x1000'  # minimum access requirements to query basic info from service
            - '0x100000'
            - '0x1410'    # car.2019-04-004
            - '0x1010'    # car.2019-04-004
            - '0x1438'    # car.2019-04-004
            - '0x143a'    # car.2019-04-004
            - '0x1418'    # car.2019-04-004
            - '0x1f0fff'
            - '0x1f1fff'
            - '0x1f2fff'
            - '0x1f3fff'
    selection_2:
        EventID: 4663 # An attempt was made to access an object
        ObjectName|endswith: '\lsass.exe'
        AccessList|contains:
            - '4484'
            - '4416'
    filter_main_specific:
        ProcessName|endswith:
            - '\csrss.exe'
            - '\GamingServices.exe'
            - '\lsm.exe'
            - '\MicrosoftEdgeUpdate.exe'
            - '\minionhost.exe'  # Cyberreason
            - '\MRT.exe'         # MS Malware Removal Tool
            - '\MsMpEng.exe'     # Defender
            - '\perfmon.exe'
            - '\procexp.exe'
            - '\procexp64.exe'
            - '\svchost.exe'
            - '\taskmgr.exe'
            - '\thor.exe'        # THOR
            - '\thor64.exe'      # THOR
            - '\vmtoolsd.exe'
            - '\VsTskMgr.exe'    # McAfee Enterprise
            - '\wininit.exe'
            - '\wmiprvse.exe'
            - 'RtkAudUService64' # https://medium.com/falconforce/the-curious-case-of-realtek-and-lsass-33fc0c8482ff
        ProcessName|contains:
            - ':\Program Files (x86)\'
            - ':\Program Files\'
            - ':\ProgramData\Microsoft\Windows Defender\Platform\'
            - ':\Windows\SysNative\'
            - ':\Windows\System32\'
            - ':\Windows\SysWow64\'
            - ':\Windows\Temp\asgard2-agent\'
    filter_main_generic:
        ProcessName|contains: ':\Program Files'  # too many false positives with legitimate AV and EDR solutions
    filter_main_exact:
        ProcessName|endswith:
            - ':\Windows\System32\taskhostw.exe'
            - ':\Windows\System32\msiexec.exe'
            - ':\Windows\CCM\CcmExec.exe'
    filter_main_sysmon:
        ProcessName|endswith: ':\Windows\Sysmon64.exe'
        AccessList|contains: '%%4484'
    filter_main_aurora:
        ProcessName|contains: ':\Windows\Temp\asgard2-agent-sc\aurora\'
        ProcessName|endswith: '\aurora-agent-64.exe'
        AccessList|contains: '%%4484'
    filter_main_scenarioengine:
        # Example: C:\a70de9569c3a5aa22184ef52a890177b\x64\SCENARIOENGINE.EXE
        ProcessName|endswith: '\x64\SCENARIOENGINE.EXE'
        AccessList|contains: '%%4484'
    filter_main_avira1:
        ProcessName|contains|all:
            - ':\Users\'
            - '\AppData\Local\Temp\is-'
        ProcessName|endswith: '\avira_system_speedup.tmp'
        AccessList|contains: '%%4484'
    filter_main_avira2:
        ProcessName|contains: ':\Windows\Temp\'
        ProcessName|endswith: '\avira_speedup_setup_update.tmp'
        AccessList|contains: '%%4484'
    filter_main_snmp:
        ProcessName|endswith: ':\Windows\System32\snmp.exe'
        AccessList|contains: '%%4484'
    filter_main_googleupdate:
        ProcessName|contains: ':\Windows\SystemTemp\'
        ProcessName|endswith: '\GoogleUpdate.exe'
        AccessList|contains: '%%4484'
    filter_optional_procmon:
        ProcessName|endswith:
            - '\procmon64.exe'
            - '\procmon.exe'
        AccessList|contains: '%%4484'
    condition: 1 of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Legitimate software accessing LSASS process for legitimate reason; update the whitelist with it
level: medium