feat(rules): New LSASS access from unsigned executable rule

rules/credential_access_lsass_access_from_unsigned_executable.yml

@@ -0,0 +1,32 @@
+name: LSASS access from unsigned executable
+id: 348bf896-2201-444f-b1c9-e957a1f063bf
+version: 1.0.0
+description: |
+  Detects attempts by an unsigned process to access the Local Security Authority Subsystem Service (LSASS). 
+  Adversaries may try to dump credential information stored in the process memory of LSASS.
+labels:
+  tactic.id: TA0006
+  tactic.name: Credential Access
+  tactic.ref: https://attack.mitre.org/tactics/TA0006/
+  technique.name: OS Credential Dumping
+  technique.ref: https://attack.mitre.org/techniques/T1003/
+  subtechnique.id: T1003.001
+  subtechnique.name: LSASS Memory
+  subtechnique.ref: https://attack.mitre.org/techniques/T1003/001/
+references:
+  - https://redcanary.com/threat-detection-report/techniques/lsass-memory/
+
+condition: >
+  sequence
+  maxspan 7m
+  by ps.uuid
+    |load_unsigned_executable|
+    |((open_process) or (open_thread)) and kevt.arg[exe] imatches '?:\\Windows\\System32\\lsass.exe'|
+action:
+  - name: kill
+
+output: >
+  Unsigned executable %1.image.path attempted to access Local Security Authority Subsystem Service
+severity: high
+
+min-engine-version: 2.2.0

rules/macros/macros.yml

@@ -150,6 +150,12 @@
   expr: >
     load_module and (image.name iendswith '.dll' or image.is_dll)
 
+- macro: load_unsigned_executable
+  expr: >
+    load_executable
+      and
+    image.signature.type = 'NONE'
+
 - macro: load_untrusted_executable
   expr: >
     load_executable