Detectionhightest

Suspicious LSASS Access Via MalSecLogon

Detects suspicious access to LSASS handle via a call trace to "seclogon.dll" with a suspicious access right.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Samir Bousseaden (original elastic rule), Nasreddine Bencherchali (Nextron Systems)Created Wed Jun 29472159c5-31b9-4f56-b794-b766faa8b0a7windows

Log Source

WindowsProcess Access

ProductWindows← raw: windows

CategoryProcess Access← raw: process_access

Events when a process opens a handle to another process, commonly used for credential dumping via LSASS.

Detection Logic

detection:
    selection:
        TargetImage|endswith: '\lsass.exe'
        SourceImage|endswith: '\svchost.exe'
        GrantedAccess: '0x14c0'
        CallTrace|contains: 'seclogon.dll'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

splintercod3.blogspot.com

MITRE ATT&CK

Tactics

TA0006 · Credential Access

Sub-techniques

T1003.001 · LSASS Memory

Rule Metadata

Rule ID

472159c5-31b9-4f56-b794-b766faa8b0a7

Status

test

Level

high

Type

Detection

Created

Wed Jun 29

Author

Samir Bousseaden (original elastic rule), Nasreddine Bencherchali (Nextron Systems)

Path

rules/windows/process_access/proc_access_win_lsass_seclogon_access.yml

Raw Tags

attack.credential-accessattack.t1003.001

View on GitHub