| 1 | title: Suspicious LSASS Process Access |
| 2 | id: dcfda42d-c1a7-4106-aa96-7912201d9221 |
| 3 | status: experimental |
| 4 | description: > |
| 5 | Detects process access to lsass.exe with access rights commonly used to read |
| 6 | process memory (credential dumping). Tuned to the granted-access masks seen with |
| 7 | Mimikatz, comsvcs MiniDump, and similar tooling rather than the broad 0x1010 alone. |
| 8 | references: |
| 9 | - https://attack.mitre.org/techniques/T1003/001/ |
| 10 | - https://github.com/SwiftOnSecurity/sysmon-config |
| 11 | author: Zion Boggan |
| 12 | date: 2026-05-12 |
| 13 | tags: |
| 14 | - attack.credential_access |
| 15 | - attack.t1003.001 |
| 16 | logsource: |
| 17 | product: windows |
| 18 | category: process_access |
| 19 | detection: |
| 20 | selection: |
| 21 | TargetImage|endswith: '\lsass.exe' |
| 22 | GrantedAccess: |
| 23 | - '0x1010' |
| 24 | - '0x1410' |
| 25 | - '0x143a' |
| 26 | - '0x1438' |
| 27 | - '0x1fffff' |
| 28 | filter_known: |
| 29 | SourceImage|endswith: |
| 30 | - '\wininit.exe' |
| 31 | - '\csrss.exe' |
| 32 | - '\MsMpEng.exe' |
| 33 | - '\wmiprvse.exe' |
| 34 | condition: selection and not filter_known |
| 35 | falsepositives: |
| 36 | - EDR and AV products legitimately reading LSASS; baseline and add to filter_known. |
| 37 | level: high |