security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] LSASS Process Access via Windows API (#3839)

Browse Source
This commit is contained in:
Jonhnathan
2024-06-27 12:22:13 -03:00
committed by GitHub
parent c3ba7b1262
commit 7693d785aa
1 changed files with 5 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/credential_access_lsass_openprocess_api.toml
+5 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2023/03/02"
integration = ["endpoint", "m365_defender"]
maturity = "production"
updated_date = "2024/06/25"
updated_date = "2024/06/27"
[transform]
[[transform.osquery]]
@@ -120,7 +120,9 @@ type = "eql"
query = '''
api where host.os.type == "windows" and
process.Ext.api.name in ("OpenProcess", "OpenThread") and Target.process.name : "lsass.exe" and
not process.executable : (
not
(
process.executable : (
"?:\\ProgramData\\GetSupportService*\\Updates\\Update_*.exe",
"?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe",
"?:\\Program Files (x86)\\Asiainfo Security\\OfficeScan Client\\NTRTScan.exe",
@@ -157,6 +159,7 @@ api where host.os.type == "windows" and
"?:\\Windows\\System32\\RtkAudUService64.exe",
"?:\\Windows\\System32\\wbem\\WmiPrvSE.exe",
"?:\\Windows\\SysWOW64\\wbem\\WmiPrvSE.exe"
) and not ?process.code_signature.trusted == false
)
'''