EXPLORE
Sign In
← Back to Explore
sigmamediumHunting

LSASS Access From Program In Potentially Suspicious Folder

Detects process access to LSASS memory with suspicious access flags and from a potentially suspicious folder

MITRE ATT&CK

T1003.001S0002
credential-access

Detection Query

selection:
  TargetImage|endswith: \lsass.exe
  GrantedAccess|endswith:
    - "10"
    - "30"
    - "50"
    - "70"
    - "90"
    - B0
    - D0
    - F0
    - "18"
    - "38"
    - "58"
    - "78"
    - "98"
    - B8
    - D8
    - F8
    - 1A
    - 3A
    - 5A
    - 7A
    - 9A
    - BA
    - DA
    - FA
    - "0x14C2"
    - FF
  SourceImage|contains:
    - \Temp\
    - \Users\Public\
    - \PerfLogs\
    - \AppData\
    - \Temporary
filter_optional_generic_appdata:
  SourceImage|contains|all:
    - :\Users\
    - \AppData\Local\
  SourceImage|endswith:
    - \Microsoft VS Code\Code.exe
    - \software_reporter_tool.exe
    - \DropboxUpdate.exe
    - \MBAMInstallerService.exe
    - \WebexMTA.exe
    - \Meetings\WebexMTAV2.exe
    - \WebEx\WebexHost.exe
    - \JetBrains\Toolbox\bin\jetbrains-toolbox.exe
  GrantedAccess: "0x410"
filter_optional_dropbox_1:
  SourceImage|contains: :\Windows\Temp\
  SourceImage|endswith: .tmp\DropboxUpdate.exe
  GrantedAccess:
    - "0x410"
    - "0x1410"
filter_optional_dropbox_2:
  SourceImage|contains|all:
    - :\Users\
    - \AppData\Local\Temp\
  SourceImage|endswith: .tmp\DropboxUpdate.exe
  GrantedAccess: "0x1410"
filter_optional_dropbox_3:
  SourceImage|contains:
    - :\Program Files (x86)\Dropbox\
    - :\Program Files\Dropbox\
  SourceImage|endswith: \DropboxUpdate.exe
  GrantedAccess: "0x1410"
filter_optional_nextron:
  SourceImage|contains:
    - :\Windows\Temp\asgard2-agent\
    - :\Windows\Temp\asgard2-agent-sc\
  SourceImage|endswith:
    - \thor64.exe
    - \thor.exe
    - \aurora-agent-64.exe
    - \aurora-agent.exe
  GrantedAccess:
    - "0x1fffff"
    - "0x1010"
    - "0x101010"
filter_optional_ms_products:
  SourceImage|contains|all:
    - :\Users\
    - \AppData\Local\Temp\
    - \vs_bootstrapper_
  GrantedAccess: "0x1410"
filter_optional_chrome_update:
  SourceImage|contains: :\Program Files (x86)\Google\Temp\
  SourceImage|endswith: .tmp\GoogleUpdate.exe
  GrantedAccess:
    - "0x410"
    - "0x1410"
filter_optional_keybase:
  SourceImage|contains: :\Users\
  SourceImage|endswith: \AppData\Local\Keybase\keybase.exe
  GrantedAccess: "0x1fffff"
filter_optional_avira:
  SourceImage|contains: \AppData\Local\Temp\is-
  SourceImage|endswith: .tmp\avira_system_speedup.tmp
  GrantedAccess: "0x1410"
filter_optional_viberpc_updater:
  SourceImage|contains: \AppData\Roaming\ViberPC\
  SourceImage|endswith: \updater.exe
  TargetImage|endswith: \winlogon.exe
  GrantedAccess: "0x1fffff"
filter_optional_adobe_arm_helper:
  SourceImage|contains:
    - :\Program Files\Common Files\Adobe\ARM\
    - :\Program Files (x86)\Common Files\Adobe\ARM\
  SourceImage|endswith: \AdobeARMHelper.exe
  GrantedAccess: "0x1410"
condition: selection and not 1 of filter_optional_*

Author

Florian Roth (Nextron Systems)

Created

2021-11-27

Data Sources

windowsProcess Access Events

Platforms

windows

References

Tags

attack.credential-accessattack.t1003.001attack.s0002detection.threat-hunting
Raw Content
title: LSASS Access From Program In Potentially Suspicious Folder
id: fa34b441-961a-42fa-a100-ecc28c886725
status: test
description: Detects process access to LSASS memory with suspicious access flags and from a potentially suspicious folder
references:
    - https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights
    - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow
    - https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
    - https://web.archive.org/web/20230420013146/http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf
author: Florian Roth (Nextron Systems)
date: 2021-11-27
modified: 2023-12-06
tags:
    - attack.credential-access
    - attack.t1003.001
    - attack.s0002
    - detection.threat-hunting
logsource:
    category: process_access
    product: windows
detection:
    selection:
        TargetImage|endswith: '\lsass.exe'
        GrantedAccess|endswith:
            - '10'
            - '30'
            - '50'
            - '70'
            - '90'
            - 'B0'
            - 'D0'
            - 'F0'
            - '18'
            - '38'
            - '58'
            - '78'
            - '98'
            - 'B8'
            - 'D8'
            - 'F8'
            - '1A'
            - '3A'
            - '5A'
            - '7A'
            - '9A'
            - 'BA'
            - 'DA'
            - 'FA'
            - '0x14C2'  # https://github.com/b4rtik/ATPMiniDump/blob/76304f93b390af3bb66e4f451ca16562a479bdc9/ATPMiniDump/ATPMiniDump.c
            - 'FF'
        SourceImage|contains:
            - '\Temp\'
            - '\Users\Public\'
            - '\PerfLogs\'
            - '\AppData\'
            - '\Temporary'
    filter_optional_generic_appdata:
        SourceImage|contains|all:
            - ':\Users\'
            - '\AppData\Local\'
        SourceImage|endswith:
            - '\Microsoft VS Code\Code.exe'
            - '\software_reporter_tool.exe'
            - '\DropboxUpdate.exe'
            - '\MBAMInstallerService.exe'
            - '\WebexMTA.exe'
            - '\Meetings\WebexMTAV2.exe'
            - '\WebEx\WebexHost.exe'
            - '\JetBrains\Toolbox\bin\jetbrains-toolbox.exe'
        GrantedAccess: '0x410'
    filter_optional_dropbox_1:
        SourceImage|contains: ':\Windows\Temp\'
        SourceImage|endswith: '.tmp\DropboxUpdate.exe'
        GrantedAccess:
            - '0x410'
            - '0x1410'
    filter_optional_dropbox_2:
        SourceImage|contains|all:
            - ':\Users\'
            - '\AppData\Local\Temp\'
        SourceImage|endswith: '.tmp\DropboxUpdate.exe'
        GrantedAccess: '0x1410'
    filter_optional_dropbox_3:
        SourceImage|contains:
            - ':\Program Files (x86)\Dropbox\'
            - ':\Program Files\Dropbox\'
        SourceImage|endswith: '\DropboxUpdate.exe'
        GrantedAccess: '0x1410'
    filter_optional_nextron:
        SourceImage|contains:
            - ':\Windows\Temp\asgard2-agent\'
            - ':\Windows\Temp\asgard2-agent-sc\'
        SourceImage|endswith:
            - '\thor64.exe'
            - '\thor.exe'
            - '\aurora-agent-64.exe'
            - '\aurora-agent.exe'
        GrantedAccess:
            - '0x1fffff'
            - '0x1010'
            - '0x101010'
    filter_optional_ms_products:
        SourceImage|contains|all:
            - ':\Users\'
            - '\AppData\Local\Temp\'
            - '\vs_bootstrapper_'
        GrantedAccess: '0x1410'
    filter_optional_chrome_update:
        SourceImage|contains: ':\Program Files (x86)\Google\Temp\'
        SourceImage|endswith: '.tmp\GoogleUpdate.exe'
        GrantedAccess:
            - '0x410'
            - '0x1410'
    filter_optional_keybase:
        SourceImage|contains: ':\Users\'
        SourceImage|endswith: \AppData\Local\Keybase\keybase.exe
        GrantedAccess: '0x1fffff'
    filter_optional_avira:
        SourceImage|contains: '\AppData\Local\Temp\is-'
        SourceImage|endswith: '.tmp\avira_system_speedup.tmp'
        GrantedAccess: '0x1410'
    filter_optional_viberpc_updater:
        SourceImage|contains: '\AppData\Roaming\ViberPC\'
        SourceImage|endswith: '\updater.exe'
        TargetImage|endswith: '\winlogon.exe'
        GrantedAccess: '0x1fffff'
    filter_optional_adobe_arm_helper:
        SourceImage|contains:  # Example path: 'C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\Temp\2092867405\AdobeARMHelper.exe'
            - ':\Program Files\Common Files\Adobe\ARM\'
            - ':\Program Files (x86)\Common Files\Adobe\ARM\'
        SourceImage|endswith: '\AdobeARMHelper.exe'
        GrantedAccess: '0x1410'
    condition: selection and not 1 of filter_optional_*
falsepositives:
    - Updaters and installers are typical false positives. Apply custom filters depending on your environment
level: medium