LSASS Process Access via Windows API

The Local Security Authority Subsystem Service (LSASS) is a crucial Windows component that manages user authentication and security policies. Attackers may attempt to access the LSASS process handle to dump credentials from memory for lateral movement and privilege escalation. This rule detects attempts to access LSASS by monitoring for specific API calls (OpenProcess, OpenThread, ReadProcessMemory) targeting the “lsass.exe” process. The rule leverages data from Elastic Defend and Microsoft Defender XDR, analyzing API events on Windows systems, excluding common false positives related to standard program files and Windows Defender processes.

Attack Chain

1. An attacker gains initial access to a Windows system, potentially through phishing, exploitation of a vulnerability, or compromised credentials.
2. The attacker executes a malicious program or script on the compromised system.
3. The malicious program attempts to access the LSASS process using Windows API calls such as OpenProcess or OpenThread.
4. The program requests specific access rights necessary for reading LSASS memory.
5. If successful, the program reads the memory contents of the LSASS process.
6. The attacker extracts sensitive information such as usernames, passwords, and Kerberos tickets from the dumped LSASS memory.
7. The attacker uses the stolen credentials to move laterally to other systems within the network.
8. The attacker escalates privileges and gains control over critical assets.

Impact

Successful credential dumping from LSASS memory can lead to a complete compromise of the Windows domain. Attackers can use stolen credentials to move laterally, escalate privileges, and gain unauthorized access to sensitive data. This can result in data breaches, financial loss, and reputational damage. If successful, attackers can compromise administrator accounts, allowing them to control the entire infrastructure.

Recommendation

• Deploy the Sigma rule provided below to detect suspicious LSASS process access attempts, and tune for your environment to reduce false positives.
• Enable endpoint detection and response (EDR) solutions like Elastic Defend and Microsoft Defender XDR to capture API events and process execution data as referenced in the rule’s logsource.
• Monitor process.Ext.api.parameters.desired_access to assess the access rights requested by processes attempting to access LSASS, as described in the investigation guide.
• Implement the Osquery queries to examine the DNS cache, host services, and unsigned executables as shown in the overview to enhance investigation capabilities.
• Add exceptions based on process.executable, process.code_signature.subject_name, and process.Ext.api.parameters.desired_access_numeric as documented to reduce false positives in environments with known legitimate LSASS access.