legitimate software such as av and edr

Techniques

Sample rules

Potentially Suspicious GrantedAccess Flags On LSASS

source: sigma
technicques:
- t1003
- t1003.001

Description

Detects process access requests to LSASS process with potentially suspicious access flags

Detection logic

condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_explorer:
  GrantedAccess: '0x401'
  SourceImage|endswith: \explorer.exe
filter_main_generic:
  SourceImage|contains:
  - :\Program Files (x86)\
  - :\Program Files\
  - :\Windows\System32\
  - :\Windows\SysWOW64\
filter_main_windefend_1:
  SourceImage|contains: :\ProgramData\Microsoft\Windows Defender\
  SourceImage|endswith: \MsMpEng.exe
filter_main_windefend_2:
  CallTrace|contains|all:
  - '|?:\ProgramData\Microsoft\Windows Defender\Definition Updates\{'
  - '}\mpengine.dll+'
  GrantedAccess: '0x1418'
filter_main_windefend_3:
  CallTrace|contains:
  - '|c:\program files\windows defender\mprtp.dll'
  - '|c:\program files\windows defender\MpClient.dll'
filter_optional_malwarebytes:
  SourceImage|endswith: :\ProgramData\MALWAREBYTES\MBAMSERVICE\ctlrupdate\mbupdatr.exe
filter_optional_mbami:
  GrantedAccess: '0x40'
  SourceImage|endswith: \MBAMInstallerService.exe
filter_optional_nextron:
  GrantedAccess: '0x40'
  SourceImage|endswith:
  - \aurora-agent-64.exe
  - \aurora-agent.exe
  - \thor.exe
  - \thor64.exe
filter_optional_steam_apps:
  SourceImage|contains: \SteamLibrary\steamapps\
filter_optional_sysinternals_handle:
  GrantedAccess: '0x40'
  SourceImage|endswith:
  - \handle.exe
  - \handle64.exe
filter_optional_sysinternals_process_explorer:
  GrantedAccess: '0x40'
  SourceImage|endswith:
  - \PROCEXP64.EXE
  - \PROCEXP.EXE
filter_optional_vmwaretools:
  SourceImage|contains: :\ProgramData\VMware\VMware Tools\
  SourceImage|endswith: \vmtoolsd.exe
filter_optional_vscode:
  SourceImage|endswith: \AppData\Local\Programs\Microsoft VS Code\Code.exe
filter_optional_webex:
  GrantedAccess: '0x401'
  SourceImage|endswith: \AppData\Local\WebEx\WebexHost.exe
selection_access:
- GrantedAccess|endswith:
  - '30'
  - '50'
  - '70'
  - '90'
  - B0
  - D0
  - F0
  - '18'
  - '38'
  - '58'
  - '78'
  - '98'
  - B8
  - D8
  - F8
  - 1A
  - 3A
  - 5A
  - 7A
  - 9A
  - BA
  - DA
  - FA
  - '0x14C2'
- GrantedAccess|startswith:
  - '0x100000'
  - '0x1418'
  - '0x1438'
  - '0x143a'
  - '0x1f0fff'
  - '0x1f1fff'
  - '0x1f2fff'
  - '0x1f3fff'
  - '0x40'
selection_target:
  TargetImage|endswith: \lsass.exe