31 lines
1.0 KiB
YAML
31 lines
1.0 KiB
YAML
title: LSASS Access Detected via Attack Surface Reduction
|
|
author: Markus Neis
|
|
date: 2018/08/26
|
|
description: Detects Access to LSASS Process
|
|
detection:
|
|
SELECTION_1:
|
|
EventID: 1121
|
|
SELECTION_2:
|
|
Path: '*\lsass.exe'
|
|
condition: (SELECTION_1 and SELECTION_2)
|
|
falsepositives:
|
|
- Google Chrome GoogleUpdate.exe
|
|
- Some Taskmgr.exe related activity
|
|
id: a0a278fe-2c0e-4de2-ac3c-c68b08a9ba98
|
|
level: high
|
|
logsource:
|
|
definition: 'Requirements:Enabled Block credential stealing from the Windows local
|
|
security authority subsystem (lsass.exe) from Attack Surface Reduction (GUID:
|
|
9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2)'
|
|
product: windows_defender
|
|
references:
|
|
- https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard?WT.mc_id=twitter
|
|
status: experimental
|
|
tags:
|
|
- attack.credential_access
|
|
- attack.t1003
|
|
- attack.t1003.001
|
|
yml_filename: win_alert_lsass_access.yml
|
|
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
|
|
|