Threat Huntmediumtest
Uncommon GrantedAccess Flags On LSASS
Detects process access to LSASS memory with uncommon access flags 0x410 and 0x01410
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Florian Roth (Nextron Systems)Created Sun Mar 13Updated Thu Nov 30678dfc63-fefb-47a5-a04c-26bcf8cc9f65windows
Hunting Hypothesis
Log Source
WindowsProcess Access
ProductWindows← raw: windows
CategoryProcess Access← raw: process_access
Events when a process opens a handle to another process, commonly used for credential dumping via LSASS.
Detection Logic
Detection Logic14 selectors
detection:
selection:
TargetImage|endswith: '\lsass.exe'
GrantedAccess|endswith: '10'
# Absolute paths to programs that cause false positives
filter1:
SourceImage:
- 'C:\Program Files\Common Files\McAfee\MMSSHost\MMSSHOST.exe'
- 'C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe'
- 'C:\Program Files\Windows Defender\MsMpEng.exe'
- 'C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\ctlrupdate\mbupdatr.exe'
- 'C:\Windows\System32\lsass.exe'
- 'C:\Windows\System32\msiexec.exe'
- 'C:\WINDOWS\System32\perfmon.exe'
- 'C:\WINDOWS\system32\taskhostw.exe'
- 'C:\WINDOWS\system32\taskmgr.exe'
- 'C:\WINDOWS\system32\wbem\wmiprvse.exe'
- 'C:\Windows\SysWOW64\msiexec.exe'
- 'C:\Windows\sysWOW64\wbem\wmiprvse.exe'
# Windows Defender
filter2:
SourceImage|startswith: 'C:\ProgramData\Microsoft\Windows Defender\'
SourceImage|endswith: '\MsMpEng.exe'
# Microsoft Gaming Services
filter3:
SourceImage|startswith: 'C:\Program Files\WindowsApps\'
SourceImage|endswith: '\GamingServices.exe'
# Process Explorer
filter4:
SourceImage|endswith:
- '\PROCEXP64.EXE'
- '\PROCEXP.EXE'
# VMware Tools
filter5:
SourceImage|startswith: 'C:\ProgramData\VMware\VMware Tools\'
SourceImage|endswith: '\vmtoolsd.exe'
# Antivirus and EDR agents
filter6:
SourceImage|startswith:
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
SourceImage|contains: 'Antivirus'
filter_nextron:
# SourceImage|startswith: 'C:\Windows\Temp\asgard2-agent\' # Can be a manual THOR installation
SourceImage|endswith:
- '\thor64.exe'
- '\thor.exe'
- '\aurora-agent-64.exe'
- '\aurora-agent.exe'
filter_ms_products:
SourceImage|contains|all:
- '\AppData\Local\Temp\'
- '\vs_bootstrapper_'
GrantedAccess: '0x1410'
# Generic Filter for 0x1410 filter (caused by so many programs like DropBox updates etc.)
filter_generic:
SourceImage|startswith:
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
- 'C:\WINDOWS\system32\'
filter_wer:
SourceCommandLine: 'C:\WINDOWS\system32\wermgr.exe -upload'
filter_localappdata:
SourceImage|contains|all:
- 'C:\Users\'
- '\AppData\Local\'
SourceImage|endswith:
- '\Microsoft VS Code\Code.exe'
- '\software_reporter_tool.exe'
- '\DropboxUpdate.exe'
- '\MBAMInstallerService.exe'
- '\WebEx\WebexHost.exe'
- '\Programs\Microsoft VS Code\Code.exe'
- '\JetBrains\Toolbox\bin\jetbrains-toolbox.exe'
filter_xampp:
SourceImage|endswith: '\xampp-control.exe'
GrantedAccess: '0x410'
filter_games:
SourceImage|contains: '\SteamLibrary\steamapps\'
GrantedAccess:
- '0x410'
- '0x10'
condition: selection and not 1 of filter*False Positives
Legitimate software accessing LSASS process for legitimate reason
MITRE ATT&CK
Tactics
Sub-techniques
Software
Other
detection.threat-hunting
Related Rules
Similar
Rule not found32d0d3e2-e58d-4d41-926b-18b520b2b32d
Rule Metadata
Rule ID
678dfc63-fefb-47a5-a04c-26bcf8cc9f65
Status
test
Level
medium
Type
Threat Hunt
Created
Sun Mar 13
Modified
Thu Nov 30
Path
rules-threat-hunting/windows/process_access/proc_access_win_lsass_uncommon_access_flag.yml
Raw Tags
attack.credential-accessattack.t1003.001attack.s0002detection.threat-hunting