diff --git a/rules/credential_access_lsass_access_from_unsigned_executable.yml b/rules/credential_access_lsass_access_from_unsigned_executable.yml new file mode 100644 index 000000000..66329dfff --- /dev/null +++ b/rules/credential_access_lsass_access_from_unsigned_executable.yml @@ -0,0 +1,32 @@ +name: LSASS access from unsigned executable +id: 348bf896-2201-444f-b1c9-e957a1f063bf +version: 1.0.0 +description: | + Detects attempts by an unsigned process to access the Local Security Authority Subsystem Service (LSASS). + Adversaries may try to dump credential information stored in the process memory of LSASS. +labels: + tactic.id: TA0006 + tactic.name: Credential Access + tactic.ref: https://attack.mitre.org/tactics/TA0006/ + technique.name: OS Credential Dumping + technique.ref: https://attack.mitre.org/techniques/T1003/ + subtechnique.id: T1003.001 + subtechnique.name: LSASS Memory + subtechnique.ref: https://attack.mitre.org/techniques/T1003/001/ +references: + - https://redcanary.com/threat-detection-report/techniques/lsass-memory/ + +condition: > + sequence + maxspan 7m + by ps.uuid + |load_unsigned_executable| + |((open_process) or (open_thread)) and kevt.arg[exe] imatches '?:\\Windows\\System32\\lsass.exe'| +action: + - name: kill + +output: > + Unsigned executable %1.image.path attempted to access Local Security Authority Subsystem Service +severity: high + +min-engine-version: 2.2.0 diff --git a/rules/macros/macros.yml b/rules/macros/macros.yml index ac8c9ec75..b916aa575 100644 --- a/rules/macros/macros.yml +++ b/rules/macros/macros.yml @@ -150,6 +150,12 @@ expr: > load_module and (image.name iendswith '.dll' or image.is_dll) +- macro: load_unsigned_executable + expr: > + load_executable + and + image.signature.type = 'NONE' + - macro: load_untrusted_executable expr: > load_executable