LoFP / false positives may be present on recent windows operating systems. filtering may be required based on process_name. in addition, look for non-standard, unsigned, module loads into lsass. if query is too noisy, modify by adding endpoint.processes process_name to query to identify the process making the modification.

Techniques

• T1547.008
• T1548.002

Sample rules

Windows Autostart Execution LSASS Driver Registry Modification

• source: splunk
• technicques:
  • T1547.008

Description

The following analytic identifies the abuse of two undocumented registry keys that allow for a DLL to load into lsass.exe to potentially capture credentials. Upon successful modification of \CurrentControlSet\Services\NTDS\DirectoryServiceExtPt or \CurrentControlSet\Services\NTDS\LsaDbExtPt, a DLL either remote or local will be set as the value and load up into lsass.exe. Based on POC code a text file may be written to disk with credentials.

Detection logic

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path IN ("*\\CurrentControlSet\\Services\\NTDS\\DirectoryServiceExtPt","*\\CurrentControlSet\\Services\\NTDS\\LsaDbExtPt") by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest Registry.process_guid 
| `drop_dm_object_name(Registry)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_autostart_execution_lsass_driver_registry_modification_filter`

Windows Bypass UAC via Pkgmgr Tool

• source: splunk
• technicques:
  • T1548.002

Description

The following analytic identifies a potentially suspicious execution of the ‘pkgmgr’ process involving the use of an XML input file for package management. The ‘pkgmgr’ process, though deprecated in modern Windows systems, was historically used for managing packages. The presence of an XML input file raises concerns about the nature of the executed command and its potential impact on the system. Due to the deprecated status of ‘pkgmgr’ and the involvement of an XML file, this activity warrants careful investigation. XML files are commonly used for configuration and data exchange, making it crucial to ascertain the intentions and legitimacy of the command. To ensure system security, it is recommended to use up-to-date package management utilities, such as DISM or PowerShell’s PackageManagement module, and exercise caution when executing commands involving potentially sensitive operations or files.

Detection logic

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where  Processes.process_name = pkgmgr.exe Processes.process = "*.xml*" NOT(Processes.parent_process_path IN("*:\\windows\\system32\\*", "*:\\windows\\syswow64\\*", "*:\\Program Files*")) by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process_path Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_bypass_uac_via_pkgmgr_tool_filter`