
Summary
This detection rule identifies suspicious access to the Local Security Authority Subsystem Service (LSASS) process from non-system accounts, which may indicate the use of credential dumping tools such as Mimikatz. The rule tracks specific Event IDs (4663, 4656) that correspond to object access events, particularly focusing on access to the 'lsass.exe' process.
The detection logic employs an AccessMask filter that looks for specific permissions indicative of suspicious activity, coupled with conditions that exclude legitimate system processes and certain known benign usages. By monitoring the ObjectName for the LSASS process and calculating AccessMask values, any non-system account attempting to gain access could be flagged. This is important for detecting potential attempts to compromise account credentials or privileged information that LSASS manages.
The rule aims to enhance the security posture by catching elite attacker behaviors that exploit weaknesses in account management practices, particularly in environments where credential access is mission-critical. This detection can play a pivotal role in incident response by highlighting unauthorized attempts to access sensitive parts of the system and thereby helps to mitigate the risk of credential theft.
Categories
- Windows
- Endpoint
Data Sources
- Process
- Logon Session
Created: 2019-06-20