feat(rules): LSASS access from unsigned executable

Detects attempts by an unsigned process to access the Local Security Authority Subsystem Service (LSASS). Adversaries may try to dump credential information stored in the process memory of LSASS.

Author: rabbitstack

rules/credential_access_lsass_access_from_unsigned_executable.yml

@@ -0,0 +1,32 @@
+name: LSASS access from unsigned executable
+id: 348bf896-2201-444f-b1c9-e957a1f063bf
+version: 1.0.0
+description: |
+  Detects attempts by an unsigned process to access the Local Security Authority Subsystem Service (LSASS). 
+  Adversaries may try to dump credential information stored in the process memory of LSASS.
+labels:
+  tactic.id: TA0006
+  tactic.name: Credential Access
+  tactic.ref: https://attack.mitre.org/tactics/TA0006/
+  technique.name: OS Credential Dumping
+  technique.ref: https://attack.mitre.org/techniques/T1003/
+  subtechnique.id: T1003.001
+  subtechnique.name: LSASS Memory
+  subtechnique.ref: https://attack.mitre.org/techniques/T1003/001/
+references:
+  - https://redcanary.com/threat-detection-report/techniques/lsass-memory/
+
+condition: >
+  sequence
+  maxspan 7m
+  by ps.uuid
+    |load_unsigned_executable|
+    |((open_process) or (open_thread)) and kevt.arg[exe] imatches '?:\\Windows\\System32\\lsass.exe'|
+action:
+  - name: kill
+
+output: >
+  Unsigned executable %1.image.path attempted to access Local Security Authority Subsystem Service
+severity: high
+
+min-engine-version: 2.2.0

rules/macros/macros.yml

@@ -153,6 +153,12 @@
   expr: >
     load_module and (image.name iendswith '.dll' or image.is_dll)
 
+- macro: load_unsigned_executable
+  expr: >
+    load_executable
+      and
+    image.signature.type = 'NONE'
+
 - macro: load_untrusted_executable
   expr: >
     load_executable