Detectionmediumtest
LSASS Access From Non System Account
Detects potential mimikatz-like tools accessing LSASS from non system account
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Roberto Rodriguez (Cyb3rWard0g)Created Thu Jun 20Updated Mon Dec 11962fe167-e48d-4fd6-9974-11e5b9a5d6d1windows
Log Source
Windowssecurity
ProductWindows← raw: windows
Servicesecurity← raw: security
Detection Logic
Detection Logic5 selectors
detection:
selection:
EventID:
- 4663
- 4656
AccessMask:
- '0x100000'
- '0x1010' # car.2019-04-004
- '0x1400'
- '0x1410' # car.2019-04-004
- '0x1418' # car.2019-04-004
- '0x1438' # car.2019-04-004
- '0x143a' # car.2019-04-004
- '0x1f0fff'
- '0x1f1fff'
- '0x1f2fff'
- '0x1f3fff'
- '0x40'
- '143a' # car.2019-04-004
- '1f0fff'
- '1f1fff'
- '1f2fff'
- '1f3fff'
# - '0x1000' # minimum access requirements to query basic info from service
ObjectType: 'Process'
ObjectName|endswith: '\lsass.exe'
filter_main_service_account:
SubjectUserName|endswith: '$'
filter_main_generic:
ProcessName|contains:
# Legitimate AV and EDR solutions
- ':\Program Files\'
- ':\Program Files (x86)\'
filter_main_wmiprvse:
ProcessName: 'C:\Windows\System32\wbem\WmiPrvSE.exe'
AccessMask: '0x1410'
filter_optional_steam:
ProcessName|contains: '\SteamLibrary\steamapps\'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*False Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
MITRE ATT&CK
Tactics
Sub-techniques
Rule Metadata
Rule ID
962fe167-e48d-4fd6-9974-11e5b9a5d6d1
Status
test
Level
medium
Type
Detection
Created
Thu Jun 20
Modified
Mon Dec 11
Path
rules/windows/builtin/security/win_security_lsass_access_non_system_account.yml
Raw Tags
attack.credential-accessattack.t1003.001