title: Suspicious LSASS Process Clone
ruletype: Sigma
author: Florian Roth, Samir Bousseaden
date: 2021/11/27
description: Detects a suspicious LSASS process process clone that could be a sign
  of process dumping activity
detection:
  SELECTION_1:
    EventID: 1
  SELECTION_2:
    Image: '*\Windows\System32\lsass.exe'
  SELECTION_3:
    ParentImage: '*\Windows\System32\lsass.exe'
  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Unknown
id: c8da0dfd-4ed0-4b68-962d-13c9c884384e
level: critical
logsource:
  category: process_creation
  product: windows
references:
- https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/
- https://twitter.com/Hexacorn/status/1420053502554951689
- https://twitter.com/SBousseaden/status/1464566846594691073?s=20
status: experimental
tags:
- attack.credential_access
- attack.t1003
- attack.t1003.001