Phoenix
Sigma IntelligenceBeta
Phoenix Studio

Convert indexed Sigma rules into analyst-ready detections.

This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.

Browse RulesExplore Ecosystem

Indexed Rules

3,707

Ready to search

Backends

17

Live from sigconverter.io

CLI Versions

10

Newest: 2.0.2

Translation Workspace

Shape the rule before it leaves Phoenix

Tune Translation

Active Rule

Potentially Suspicious AccessMask Requested From LSASS

Target Profile

Splunk

Splunk SPL & tstats data model queries

Format Mode

Default

Plain SPL queries

Conversion Output

Potentially Suspicious AccessMask Requested From LSASS

Using Splunk · Default · sigma-cli 2.0.2

Translation controls

Adjust the rule on the left, then regenerate when you want a fresh backend-native query.

BackendSplunkFormatDefaultVersion2.0.2
title: Potentially Suspicious AccessMask Requested From LSASS
id: 4a1b6da0-d94f-4fc3-98fc-2d9cb9e5ee76
status: test
description: Detects process handle on LSASS process with certain access mask
references:
    - https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
author: Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update)
date: 2019-11-01
modified: 2023-12-19
tags:
    - attack.credential-access
    - car.2019-04-004
    - attack.t1003.001
logsource:
    product: windows
    service: security
detection:
    selection_1:
        EventID: 4656 # A handle to an object was requested.
        ObjectName|endswith: '\lsass.exe'
        AccessMask|contains:
            - '0x40'
            - '0x1400'
            # - '0x1000'  # minimum access requirements to query basic info from service
            - '0x100000'
            - '0x1410'    # car.2019-04-004
            - '0x1010'    # car.2019-04-004
            - '0x1438'    # car.2019-04-004
            - '0x143a'    # car.2019-04-004
            - '0x1418'    # car.2019-04-004
            - '0x1f0fff'
            - '0x1f1fff'
            - '0x1f2fff'
            - '0x1f3fff'
    selection_2:
        EventID: 4663 # An attempt was made to access an object
        ObjectName|endswith: '\lsass.exe'
        AccessList|contains:
            - '4484'
            - '4416'
    filter_main_specific:
        ProcessName|endswith:
            - '\csrss.exe'
            - '\GamingServices.exe'
            - '\lsm.exe'
            - '\MicrosoftEdgeUpdate.exe'
            - '\minionhost.exe'  # Cyberreason
            - '\MRT.exe'         # MS Malware Removal Tool
            - '\MsMpEng.exe'     # Defender
            - '\perfmon.exe'
            - '\procexp.exe'
            - '\procexp64.exe'
            - '\svchost.exe'
            - '\taskmgr.exe'
            - '\thor.exe'        # THOR
            - '\thor64.exe'      # THOR
            - '\vmtoolsd.exe'
            - '\VsTskMgr.exe'    # McAfee Enterprise
            - '\wininit.exe'
            - '\wmiprvse.exe'
            - 'RtkAudUService64' # https://medium.com/falconforce/the-curious-case-of-realtek-and-lsass-33fc0c8482ff
        ProcessName|contains:
            - ':\Program Files (x86)\'
            - ':\Program Files\'
            - ':\ProgramData\Microsoft\Windows Defender\Platform\'
            - ':\Windows\SysNative\'
            - ':\Windows\System32\'
            - ':\Windows\SysWow64\'
            - ':\Windows\Temp\asgard2-agent\'
    filter_main_generic:
        ProcessName|contains: ':\Program Files'  # too many false positives with legitimate AV and EDR solutions
    filter_main_exact:
        ProcessName|endswith:
            - ':\Windows\System32\taskhostw.exe'
            - ':\Windows\System32\msiexec.exe'
            - ':\Windows\CCM\CcmExec.exe'
    filter_main_sysmon:
        ProcessName|endswith: ':\Windows\Sysmon64.exe'
        AccessList|contains: '%%4484'
    filter_main_aurora:
        ProcessName|contains: ':\Windows\Temp\asgard2-agent-sc\aurora\'
        ProcessName|endswith: '\aurora-agent-64.exe'
        AccessList|contains: '%%4484'
    filter_main_scenarioengine:
        # Example: C:\a70de9569c3a5aa22184ef52a890177b\x64\SCENARIOENGINE.EXE
        ProcessName|endswith: '\x64\SCENARIOENGINE.EXE'
        AccessList|contains: '%%4484'
    filter_main_avira1:
        ProcessName|contains|all:
            - ':\Users\'
            - '\AppData\Local\Temp\is-'
        ProcessName|endswith: '\avira_system_speedup.tmp'
        AccessList|contains: '%%4484'
    filter_main_avira2:
        ProcessName|contains: ':\Windows\Temp\'
        ProcessName|endswith: '\avira_speedup_setup_update.tmp'
        AccessList|contains: '%%4484'
    filter_main_snmp:
        ProcessName|endswith: ':\Windows\System32\snmp.exe'
        AccessList|contains: '%%4484'
    filter_main_googleupdate:
        ProcessName|contains: ':\Windows\SystemTemp\'
        ProcessName|endswith: '\GoogleUpdate.exe'
        AccessList|contains: '%%4484'
    filter_optional_procmon:
        ProcessName|endswith:
            - '\procmon64.exe'
            - '\procmon.exe'
        AccessList|contains: '%%4484'
    condition: 1 of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Legitimate software accessing LSASS process for legitimate reason; update the whitelist with it
level: medium

CLI command

Copy the exact command to reproduce this translation locally.

sigma convert --without-pipeline -t splunk -f default rules/windows/builtin/security/win_security_susp_lsass_dump_generic.yml