Detecting Suspicious GrantedAccess Flags on LSASS
This brief details a detection for potentially suspicious `GrantedAccess` flags when a process attempts to access `LSASS.exe`, indicating possible credential dumping attempts by adversaries, which can lead to lateral movement and privilege escalation on Windows systems.
This threat brief focuses on a critical post-exploitation technique used by various adversaries: credential dumping from the Local Security Authority Subsystem Service (LSASS) process. Published by SigmaHQ, this detection rule identifies attempts to open LSASS.exe with specific, often excessive, GrantedAccess flags. While not tied to a single threat actor or campaign, this behavior is a hallmark of tools like Mimikatz, Lazagne, or custom credential dumpers. Successfully obtaining credentials from LSASS allows attackers to move laterally across a network, escalate privileges, and maintain persistence. Detection engineers should implement robust logging for process access events to identify these suspicious interactions and mitigate potential compromise. This technique is frequently observed in ransomware campaigns, espionage operations, and financially motivated attacks, making its detection vital for Windows endpoint security.
Attack Chain
- Initial Access: Adversary gains initial access to a target system via various methods (e.g., phishing, exploiting a vulnerable service, weak credentials).
- Execution: Malicious code (e.g., malware dropper, attacker-controlled script) is executed on the compromised system.
- Privilege Escalation: If necessary, the attacker elevates privileges to a level that allows interaction with critical system processes like LSASS.
- Process Access Attempt: An attacker-controlled process attempts to open the
lsass.exeprocess with specific, often excessive,GrantedAccessrights for reading its memory. - Credential Dumping: The attacker's process reads the memory of
LSASSto extract sensitive authentication material, such as NTLM hashes, Kerberos tickets, or plaintext passwords. - Lateral Movement & Impact: Stolen credentials are used to authenticate to other systems, facilitating lateral movement within the network or enabling further actions like data exfiltration or ransomware deployment.
Impact
Credential dumping from LSASS is a severe security event. If successful, attackers can obtain sensitive authentication material (e.g., NTLM hashes, Kerberos tickets) for legitimate user accounts, including administrative credentials. This enables seamless lateral movement within the network, allowing adversaries to access other systems and resources without needing to crack passwords. The impact can range from complete domain compromise to widespread data exfiltration or the deployment of ransomware across the enterprise. Organizations in all sectors are targeted by this technique, as credentials are a universal key to system access, leading to significant financial losses, data breaches, and operational disruption.
Recommendation
- Enable Sysmon Event ID 10 (ProcessAccess) logging on all Windows endpoints to capture detailed information about processes accessing other processes.
- Deploy the "Detect Potentially Suspicious GrantedAccess Flags on LSASS" Sigma rule to your SIEM/EDR platform and tune it for your environment.
- Review and tune the
falsepositivessection of the Sigma rule with specific exclusions for known legitimate security products (e.g., EDR, AV, PAM) that may legitimately access LSASS. - Investigate all high-severity alerts generated by the "Detect Potentially Suspicious GrantedAccess Flags on LSASS" rule for potential credential dumping activity.
Detection coverage 1
Detect Potentially Suspicious GrantedAccess Flags on LSASS
highDetects attempts to access the Local Security Authority Subsystem Service (LSASS) process with specific, potentially suspicious GrantedAccess flags often associated with credential dumping tools like Mimikatz or custom memory readers.
Detection queries are available on the platform. Get full rules →