Detectionhightest
LSASS Access Detected via Attack Surface Reduction
Detects Access to LSASS Process
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
Windowswindefend
ProductWindows← raw: windows
Servicewindefend← raw: windefend
Definition
Requirements:Enabled Block credential stealing from the Windows local security authority subsystem (lsass.exe) from Attack Surface Reduction (GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2)
Detection Logic
Detection Logic4 selectors
detection:
selection:
EventID: 1121
Path|endswith: '\lsass.exe'
filter_thor:
ProcessName|startswith: 'C:\Windows\Temp\asgard2-agent\'
ProcessName|endswith:
- '\thor64.exe'
- '\thor.exe'
filter_exact:
ProcessName:
- 'C:\Windows\System32\atiesrxx.exe'
- 'C:\Windows\System32\CompatTelRunner.exe'
- 'C:\Windows\System32\msiexec.exe'
- 'C:\Windows\System32\nvwmi64.exe'
- 'C:\Windows\System32\svchost.exe'
- 'C:\Windows\System32\Taskmgr.exe'
- 'C:\Windows\System32\wbem\WmiPrvSE.exe'
- 'C:\Windows\SysWOW64\msiexec.exe'
filter_begins:
ProcessName|startswith:
- 'C:\Windows\System32\DriverStore\'
- 'C:\WINDOWS\Installer\'
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
condition: selection and not 1 of filter_*False Positives
Google Chrome GoogleUpdate.exe
Some Taskmgr.exe related activity
References
MITRE ATT&CK
Tactics
Sub-techniques
Rule Metadata
Rule ID
a0a278fe-2c0e-4de2-ac3c-c68b08a9ba98
Status
test
Level
high
Type
Detection
Created
Sun Aug 26
Modified
Sat Aug 13
Author
Path
rules/windows/builtin/windefend/win_defender_asr_lsass_access.yml
Raw Tags
attack.credential-accessattack.t1003.001