LoFP LoFP / legitimate software accessing lsass process for legitimate reason; update the whitelist with it

Techniques

Sample rules

Potentially Suspicious AccessMask Requested From LSASS

Description

Detects process handle on LSASS process with certain access mask

Detection logic

condition: 1 of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_aurora:
  AccessList|contains: '%%4484'
  ProcessName|contains: :\Windows\Temp\asgard2-agent-sc\aurora\
  ProcessName|endswith: \aurora-agent-64.exe
filter_main_avira1:
  AccessList|contains: '%%4484'
  ProcessName|contains|all:
  - :\Users\
  - \AppData\Local\Temp\is-
  ProcessName|endswith: \avira_system_speedup.tmp
filter_main_avira2:
  AccessList|contains: '%%4484'
  ProcessName|contains: :\Windows\Temp\
  ProcessName|endswith: \avira_speedup_setup_update.tmp
filter_main_exact:
  ProcessName|endswith:
  - :\Windows\System32\taskhostw.exe
  - :\Windows\System32\msiexec.exe
  - :\Windows\CCM\CcmExec.exe
filter_main_generic:
  ProcessName|contains: :\Program Files
filter_main_googleupdate:
  AccessList|contains: '%%4484'
  ProcessName|contains: :\Windows\SystemTemp\
  ProcessName|endswith: \GoogleUpdate.exe
filter_main_scenarioengine:
  AccessList|contains: '%%4484'
  ProcessName|endswith: \x64\SCENARIOENGINE.EXE
filter_main_snmp:
  AccessList|contains: '%%4484'
  ProcessName|endswith: :\Windows\System32\snmp.exe
filter_main_specific:
  ProcessName|contains:
  - :\Program Files (x86)\
  - :\Program Files\
  - :\ProgramData\Microsoft\Windows Defender\Platform\
  - :\Windows\SysNative\
  - :\Windows\System32\
  - :\Windows\SysWow64\
  - :\Windows\Temp\asgard2-agent\
  ProcessName|endswith:
  - \csrss.exe
  - \GamingServices.exe
  - \lsm.exe
  - \MicrosoftEdgeUpdate.exe
  - \minionhost.exe
  - \MRT.exe
  - \MsMpEng.exe
  - \perfmon.exe
  - \procexp.exe
  - \procexp64.exe
  - \svchost.exe
  - \taskmgr.exe
  - \thor.exe
  - \thor64.exe
  - \vmtoolsd.exe
  - \VsTskMgr.exe
  - \wininit.exe
  - \wmiprvse.exe
  - RtkAudUService64
filter_main_sysmon:
  AccessList|contains: '%%4484'
  ProcessName|endswith: :\Windows\Sysmon64.exe
filter_optional_procmon:
  AccessList|contains: '%%4484'
  ProcessName|endswith:
  - \procmon64.exe
  - \procmon.exe
selection_1:
  AccessMask|contains:
  - '0x40'
  - '0x1400'
  - '0x100000'
  - '0x1410'
  - '0x1010'
  - '0x1438'
  - '0x143a'
  - '0x1418'
  - '0x1f0fff'
  - '0x1f1fff'
  - '0x1f2fff'
  - '0x1f3fff'
  EventID: 4656
  ObjectName|endswith: \lsass.exe
selection_2:
  AccessList|contains:
  - '4484'
  - '4416'
  EventID: 4663
  ObjectName|endswith: \lsass.exe