
Summary
This rule detects handle access requests for the Local Security Authority Subsystem Service (LSASS) that may indicate attempts to dump memory from this process. It focuses on specific access masks associated with memory dumping tools, such as SharpDump and Mimikatz, thus providing broad coverage against various methods of credential harvesting. The rule leverages Windows Event Log data, particularly Event ID 4656, to identify potential unauthorized access attempts to LSASS. In addition, the rule is designed to minimize false positives by excluding known legitimate processes from the detection criteria. Analysts are provided with triage steps and investigation recommendations in the event of detection, including validating process signatures and monitoring network activity related to detected behavior.
Categories
- Endpoint
- Windows
Data Sources
- Windows Registry
- Process
ATT&CK Techniques
- T1550
- T1003
- T1003.001
Created: 2022-02-16