{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/cisco-anyconnect-secure-mobility-client/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows Defender","Cisco AnyConnect Secure Mobility Client","Cisco Secure Client","Oracle Database"],"_cs_severities":["medium"],"_cs_tags":["credential-access","lsass","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Cisco","Oracle"],"content_html":"\u003cp\u003eThe Local Security Authority Subsystem Service (LSASS) is a critical Windows component responsible for enforcing security policies and handling user authentication. Attackers often target LSASS to extract credentials, enabling unauthorized access and privilege escalation. This detection rule identifies suspicious access attempts to LSASS memory, which may indicate credential dumping activities. It filters out common legitimate processes and access patterns to highlight anomalous behaviors associated with credential theft. The rule is designed to detect unauthorized access attempts by monitoring process access events and filtering out known benign processes that interact with LSASS. It helps defenders identify potential credential access attempts before they lead to significant compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system, possibly through phishing or exploitation of a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a malicious process or script on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe malicious process attempts to gain a handle to the LSASS process.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s tool requests specific access rights to LSASS, such as \u003ccode\u003eReadProcessMemory\u003c/code\u003e (0x0010) or \u003ccode\u003ePROCESS_QUERY_INFORMATION\u003c/code\u003e (0x0400), which are necessary for memory dumping.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s process bypasses or disables endpoint detection and response (EDR) solutions to avoid detection.\u003c/li\u003e\n\u003cli\u003eThe tool dumps the LSASS memory, extracting sensitive information like usernames, passwords, and Kerberos tickets.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the extracted credentials to move laterally within the network, accessing other systems and resources.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration or deployment of ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful LSASS memory dump can lead to the compromise of domain credentials, allowing attackers to move laterally within the network and gain access to sensitive data and systems. This can result in data breaches, financial loss, and reputational damage. Organizations across all sectors are vulnerable, particularly those with weak credential management practices. A single compromised account can lead to widespread damage, potentially affecting thousands of systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process access event logging (Event ID 10) as described in the setup instructions linked in the rule to collect the necessary data.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Suspicious Lsass Process Access\u0026rdquo; to your SIEM and tune the exclusions based on your environment to reduce false positives.\u003c/li\u003e\n\u003cli\u003eReview and harden privileged account management practices to limit the impact of credential compromise.\u003c/li\u003e\n\u003cli\u003eMonitor systems for unusual process creation events, especially those spawning from unexpected locations, to identify potential initial access points.\u003c/li\u003e\n\u003cli\u003eRegularly scan systems for vulnerabilities and apply patches to prevent exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-suspicious-lsass-access/","summary":"This rule identifies suspicious access attempts to the LSASS process, potentially indicating credential dumping attempts by filtering out legitimate processes and access patterns to focus on anomalies.","title":"Suspicious LSASS Process Access","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-lsass-access/"}],"language":"en","title":"CraftedSignal Threat Feed — Cisco AnyConnect Secure Mobility Client","version":"https://jsonfeed.org/version/1.1"}