Florian Roth
48 lines
1.8 KiB
YAML
48 lines
1.8 KiB
YAML
title: LSASS Access Detected via Attack Surface Reduction
|
|
id: a0a278fe-2c0e-4de2-ac3c-c68b08a9ba98
|
|
description: Detects Access to LSASS Process
|
|
status: experimental
|
|
references:
|
|
- https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard?WT.mc_id=twitter
|
|
author: Markus Neis
|
|
date: 2018/08/26
|
|
modified: 2022/02/09
|
|
tags:
|
|
- attack.credential_access
|
|
# Defender Attack Surface Reduction
|
|
- attack.t1003.001
|
|
logsource:
|
|
product: windows
|
|
service: windefend
|
|
definition: 'Requirements:Enabled Block credential stealing from the Windows local security authority subsystem (lsass.exe) from Attack Surface Reduction (GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2)'
|
|
detection:
|
|
selection:
|
|
EventID: 1121
|
|
Path|endswith: '\lsass.exe'
|
|
filter_thor:
|
|
ProcessName|startswith: 'C:\Windows\Temp\asgard2-agent\'
|
|
ProcessName|endswith:
|
|
- '\thor64.exe'
|
|
- '\thor.exe'
|
|
filter_exact:
|
|
ProcessName:
|
|
- 'C:\Windows\System32\atiesrxx.exe'
|
|
- 'C:\Windows\System32\CompatTelRunner.exe'
|
|
- 'C:\Windows\System32\msiexec.exe'
|
|
- 'C:\Windows\System32\nvwmi64.exe'
|
|
- 'C:\Windows\System32\svchost.exe'
|
|
- 'C:\Windows\System32\Taskmgr.exe'
|
|
- 'C:\Windows\System32\wbem\WmiPrvSE.exe'
|
|
- 'C:\Windows\SysWOW64\msiexec.exe'
|
|
filter_begins:
|
|
ProcessName|startswith:
|
|
- 'C:\Windows\System32\\DriverStore\'
|
|
- 'C:\WINDOWS\Installer\'
|
|
- 'C:\Program Files\'
|
|
- 'C:\Program Files (x86)\'
|
|
condition: selection and not 1 of filter_*
|
|
falsepositives:
|
|
- Google Chrome GoogleUpdate.exe
|
|
- Some Taskmgr.exe related activity
|
|
level: high
|