Nasreddine Bencherchali
33 lines
1013 B
YAML
33 lines
1013 B
YAML
title: Findstr LSASS
|
|
id: fe63010f-8823-4864-a96b-a7b4a0f7b929
|
|
status: experimental
|
|
description: Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID
|
|
references:
|
|
- https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1
|
|
author: Florian Roth (Nextron Systems)
|
|
date: 2022/08/12
|
|
tags:
|
|
- attack.credential_access
|
|
- attack.t1552.006
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
detection:
|
|
selection_findstr_img:
|
|
- Image|endswith: '\findstr.exe'
|
|
- OriginalFileName: 'FINDSTR.EXE'
|
|
selection_findstr_cli:
|
|
CommandLine|contains: 'lsass'
|
|
selection_special:
|
|
CommandLine|contains:
|
|
- ' /i lsass.exe'
|
|
- ' /i "lsass'
|
|
- 'findstr lsass'
|
|
- 'findstr.exe lsass'
|
|
- 'findstr "lsass'
|
|
- 'findstr.exe "lsass'
|
|
condition: all of selection_findstr_* or selection_special
|
|
falsepositives:
|
|
- Unknown
|
|
level: high
|