EXPLORE
Sign In
← Back to Explore
sigmamediumHunting

LSASS Access From Non System Account

Detects potential mimikatz-like tools accessing LSASS from non system account

MITRE ATT&CK

T1003.001
credential-access

Detection Query

selection:
  EventID:
    - 4663
    - 4656
  AccessMask:
    - "0x100000"
    - "0x1010"
    - "0x1400"
    - "0x1410"
    - "0x1418"
    - "0x1438"
    - "0x143a"
    - "0x1f0fff"
    - "0x1f1fff"
    - "0x1f2fff"
    - "0x1f3fff"
    - "0x40"
    - 143a
    - 1f0fff
    - 1f1fff
    - 1f2fff
    - 1f3fff
  ObjectType: Process
  ObjectName|endswith: \lsass.exe
filter_main_service_account:
  SubjectUserName|endswith: $
filter_main_generic:
  ProcessName|contains:
    - :\Program Files\
    - :\Program Files (x86)\
filter_main_wmiprvse:
  ProcessName: C:\Windows\System32\wbem\WmiPrvSE.exe
  AccessMask: "0x1410"
filter_optional_steam:
  ProcessName|contains: \SteamLibrary\steamapps\
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*

Author

Roberto Rodriguez @Cyb3rWard0g

Created

2019-06-20

Data Sources

windowssecurity

Platforms

windows

References

Tags

attack.credential-accessattack.t1003.001
Raw Content
title: LSASS Access From Non System Account
id: 962fe167-e48d-4fd6-9974-11e5b9a5d6d1
status: test
description: Detects potential mimikatz-like tools accessing LSASS from non system account
references:
    - https://threathunterplaybook.com/hunts/windows/170105-LSASSMemoryReadAccess/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019-06-20
modified: 2023-12-11
tags:
    - attack.credential-access
    - attack.t1003.001
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID:
            - 4663
            - 4656
        AccessMask:
            - '0x100000'
            - '0x1010'    # car.2019-04-004
            - '0x1400'
            - '0x1410'    # car.2019-04-004
            - '0x1418'    # car.2019-04-004
            - '0x1438'    # car.2019-04-004
            - '0x143a'    # car.2019-04-004
            - '0x1f0fff'
            - '0x1f1fff'
            - '0x1f2fff'
            - '0x1f3fff'
            - '0x40'
            - '143a'    # car.2019-04-004
            - '1f0fff'
            - '1f1fff'
            - '1f2fff'
            - '1f3fff'
            # - '0x1000'  # minimum access requirements to query basic info from service
        ObjectType: 'Process'
        ObjectName|endswith: '\lsass.exe'
    filter_main_service_account:
        SubjectUserName|endswith: '$'
    filter_main_generic:
        ProcessName|contains:
            # Legitimate AV and EDR solutions
            - ':\Program Files\'
            - ':\Program Files (x86)\'
    filter_main_wmiprvse:
        ProcessName: 'C:\Windows\System32\wbem\WmiPrvSE.exe'
        AccessMask: '0x1410'
    filter_optional_steam:
        ProcessName|contains: '\SteamLibrary\steamapps\'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: medium