-
-
Notifications
You must be signed in to change notification settings - Fork 205
Expand file tree
/
Copy pathcredential_access_lsass_access_from_unsigned_executable.yml
More file actions
35 lines (32 loc) · 1.21 KB
/
credential_access_lsass_access_from_unsigned_executable.yml
File metadata and controls
35 lines (32 loc) · 1.21 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
name: LSASS access from unsigned executable
id: 348bf896-2201-444f-b1c9-e957a1f063bf
version: 1.0.4
description: |
Detects attempts by an unsigned process to access the Local Security Authority Subsystem Service (LSASS).
Adversaries may try to dump credential information stored in the process memory of LSASS.
labels:
tactic.id: TA0006
tactic.name: Credential Access
tactic.ref: https://attack.mitre.org/tactics/TA0006/
technique.id: T1003
technique.name: OS Credential Dumping
technique.ref: https://attack.mitre.org/techniques/T1003/
subtechnique.id: T1003.001
subtechnique.name: LSASS Memory
subtechnique.ref: https://attack.mitre.org/techniques/T1003/001/
references:
- https://redcanary.com/threat-detection-report/techniques/lsass-memory/
condition: >
sequence
maxspan 7m
by ps.uuid
|load_unsigned_executable and
ps.exe not imatches '?:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate.exe'
|
|((open_process) or (open_thread)) and evt.arg[exe] imatches '?:\\Windows\\System32\\lsass.exe'|
action:
- name: kill
output: >
Unsigned executable %1.module.path attempted to access Local Security Authority Subsystem Service
severity: high
min-engine-version: 3.0.0