LoFP LoFP / false positives will occur based on grantedaccess and sourceuser, filter based on source image as needed. utilize this hunting analytic to tune out false positives in ttp or anomaly analytics.

Techniques

Sample rules

Windows Hunting System Account Targeting Lsass

Description

The following analytic identifies processes attempting to access Lsass.exe, which may indicate credential dumping or applications needing credential access. It leverages Sysmon EventCode 10 to detect such activities by analyzing fields like TargetImage, GrantedAccess, and SourceImage. This behavior is significant as unauthorized access to Lsass.exe can lead to credential theft, posing a severe security risk. If confirmed malicious, attackers could gain access to sensitive credentials, potentially leading to privilege escalation and further compromise of the environment.

Detection logic

`sysmon` EventCode=10 TargetImage=*lsass.exe 
| stats count min(_time) as firstTime max(_time) as lastTime by dest, TargetImage, GrantedAccess, SourceImage, SourceProcessId, SourceUser, TargetUser  
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_hunting_system_account_targeting_lsass_filter`