false positives will occur based on grantedaccess and sourceuser, filter based on source image as needed. utilize this hunting analytic to tune out false positives in ttp or anomaly analytics.

Techniques

T1003.001

Sample rules

Windows Hunting System Account Targeting Lsass

source: splunk
technicques:
- T1003.001

Description

The following analytic identifies processes attempting to access Lsass.exe, which may indicate credential dumping or applications needing credential access. It leverages Sysmon EventCode 10 to detect such activities by analyzing fields like TargetImage, GrantedAccess, and SourceImage. This behavior is significant as unauthorized access to Lsass.exe can lead to credential theft, posing a severe security risk. If confirmed malicious, attackers could gain access to sensitive credentials, potentially leading to privilege escalation and further compromise of the environment.

Detection logic

`sysmon` EventCode=10 TargetImage=*lsass.exe
  
| stats count min(_time) as firstTime max(_time) as lastTime
    BY CallTrace EventID GrantedAccess
       Guid Opcode ProcessID
       SecurityID SourceImage SourceProcessGUID
       SourceProcessId TargetImage TargetProcessGUID
       TargetProcessId UserID dest
       granted_access parent_process_exec parent_process_guid
       parent_process_id parent_process_name parent_process_path
       process_exec process_guid process_id
       process_name process_path signature
       signature_id user_id vendor_product
  
| `security_content_ctime(firstTime)`
  
| `security_content_ctime(lastTime)`
  
| `windows_hunting_system_account_targeting_lsass_filter`