Potentially Suspicious AccessMask Requested From LSASS
This brief describes the detection of suspicious access mask requests to the Local Security Authority Subsystem Service (LSASS) process, a common post-exploitation technique used by threat actors for credential dumping on Windows systems.
This brief details a critical detection capability aimed at identifying credential dumping attempts on Windows systems. Threat actors frequently target the Local Security Authority Subsystem Service (LSASS) process to extract cached credentials, which can then be used for lateral movement, privilege escalation, and persistent access. The detection focuses on suspicious access mask requests to the LSASS process (lsass.exe). While legitimate processes, especially security products, may access LSASS, specific combinations of access rights and process names are highly indicative of malicious activity. This detection leverages Windows Security Event IDs 4656 and 4663, which log handle requests and object access attempts, to pinpoint anomalous interactions with LSASS. Implementing this detection helps defenders uncover post-exploitation activities and prevent further compromise.
Attack Chain
This brief focuses on a specific post-exploitation technique rather than a full attack chain:
- Initial Access (Prerequisite): An attacker gains initial access to a target Windows system through various means (e.g., phishing, exploiting a vulnerable service, RDP brute-force).
- Privilege Escalation: The attacker achieves local administrator or SYSTEM privileges, which are often necessary to interact with the LSASS process.
- LSASS Process Targeting: The attacker's malicious tool (e.g., Mimikatz, procdump) attempts to open a handle to the
lsass.exeprocess. - Suspicious Access Request: The tool requests specific, often broad or highly privileged, access masks (e.g.,
0x40,0x1400,0x100000,0x1f0fff) to the LSASS process memory. These access masks allow reading or controlling the process's memory. - Credential Dumping: Upon successful handle acquisition, the tool reads the LSASS memory to extract cached user credentials, NTLM hashes, or Kerberos tickets.
- Lateral Movement / Persistence: The stolen credentials are then used to authenticate to other systems on the network, escalate privileges further, or establish persistence.
Impact
Successful credential dumping from LSASS allows attackers to obtain highly sensitive user credentials, including those of domain administrators. This enables unfettered lateral movement across the network, privilege escalation, and access to critical resources and data. The impact can range from complete domain compromise to widespread data exfiltration, system destruction, or deployment of ransomware. Organizations could face significant financial losses due to operational disruption, data recovery costs, regulatory fines, and reputational damage. Detecting and responding to these attempts is crucial to preventing broader compromises.
Recommendation
- Deploy the provided Sigma rule to your SIEM solution to detect suspicious access to the LSASS process.
- Ensure Windows Security Event logging (specifically Event IDs 4656 and 4663) is enabled and configured to capture object access attempts on your endpoints.
- Review and tune the
filter_main_*andfilter_optional_*sections of the Sigma rule by adding legitimate internal security tools or processes that interact with LSASS for monitoring or management purposes, to reduce false positives. - Investigate all
mediumseverity alerts generated by this rule immediately, as they indicate potential credential dumping attempts.
Detection coverage 1
Potentially Suspicious AccessMask Requested From LSASS
mediumDetects process handle or object access attempts on the LSASS process with suspicious access mask values, indicating potential credential dumping.
Detection queries are available on the platform. Get full rules →