LSASS Memory Dump Handle Access Detection

The Local Security Authority Subsystem Service (LSASS) is a critical Windows process responsible for enforcing security policy and handling user authentication. Attackers often target LSASS to steal credentials for lateral movement and privilege escalation. This detection identifies attempts to access LSASS memory using specific access masks (0x1fffff, 0x1010, 0x120089, 0x1F3FFF) that are commonly used by tools designed to dump LSASS memory. The rule is designed to be tool-agnostic, detecting the underlying behavior rather than specific tool signatures. It has been validated against various LSASS dumping tools, including SharpDump, Procdump, Mimikatz, and Comsvcs. The rule triggers on Windows systems where handle manipulation is enabled and generates security event logs.

Attack Chain

1. An attacker gains initial access to a Windows system, potentially through phishing or exploiting a vulnerability.
2. The attacker elevates privileges to an administrative account or SYSTEM, necessary for accessing LSASS memory.
3. The attacker executes a credential dumping tool, such as Mimikatz, SharpDump, or Procdump.
4. The tool attempts to open a handle to the LSASS process (lsass.exe) with a specific access mask (0x1fffff, 0x1010, 0x120089, 0x1F3FFF) required for memory dumping.
5. Windows Security Event ID 4656 is generated, logging the handle request to the LSASS object.
6. The tool reads the memory contents of the LSASS process.
7. The dumped memory is parsed to extract sensitive information, such as passwords, NTLM hashes, and Kerberos tickets.
8. The attacker uses the stolen credentials to move laterally to other systems or access sensitive data.

Impact

Successful LSASS memory dumping allows attackers to steal user credentials, enabling lateral movement and privilege escalation within the network. This can lead to widespread compromise, data breaches, and significant disruption of services. Stolen credentials can be used to access sensitive data, control critical systems, and maintain a persistent presence within the environment.

Recommendation

• Enable Audit Handle Manipulation to generate the necessary events for this rule to function, as described in the setup instructions.
• Deploy the Sigma rule LSASS Memory Dump Handle Access to your SIEM and tune the exceptions based on your environment to minimize false positives.
• Investigate any alerts generated by this rule, focusing on the process execution chain (parent process tree) to identify the source of the LSASS handle request.
• Review the processes excluded in the rule (WmiPrvSE.exe, dllhost.exe, svchost.exe, msiexec.exe, explorer.exe) and ensure these exclusions are valid for your environment.
• Implement strong password policies and multi-factor authentication to mitigate the impact of credential theft.