{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/process-access/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["credential-access","lsass","windows","process-access"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection rule identifies attempts to access the Local Security Authority Subsystem Service (LSASS) process by monitoring for specific Windows API calls: \u003ccode\u003eOpenProcess\u003c/code\u003e, \u003ccode\u003eOpenThread\u003c/code\u003e, and \u003ccode\u003eReadProcessMemory\u003c/code\u003e. The LSASS process is a critical Windows component that manages user authentication and security policies. Attackers often target LSASS to dump credentials stored in its memory, which can then be used for lateral movement, privilege escalation, and domain compromise. The rule aims to detect unauthorized access attempts indicative of credential access techniques, specifically targeting the lsass.exe process. This is important for defenders because successful credential dumping can lead to widespread compromise of sensitive resources.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker gains initial access to the system through various means (e.g., phishing, exploitation of vulnerabilities, or compromised credentials).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExecution:\u003c/strong\u003e The attacker executes a malicious process or script on the compromised system. This process could be a custom tool, a publicly available credential dumping tool (e.g., Mimikatz), or a script designed to interact with the Windows API.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation (If Necessary):\u003c/strong\u003e The attacker may need to escalate privileges to gain sufficient access to LSASS. This could involve exploiting system vulnerabilities or using techniques like token impersonation.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLSASS Handle Access:\u003c/strong\u003e The malicious process uses the \u003ccode\u003eOpenProcess\u003c/code\u003e or \u003ccode\u003eOpenThread\u003c/code\u003e API calls to obtain a handle to the LSASS process (\u003ccode\u003elsass.exe\u003c/code\u003e). The \u003ccode\u003eReadProcessMemory\u003c/code\u003e API is then called to read the contents of the LSASS process's memory.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Extraction:\u003c/strong\u003e The attacker parses the memory contents of LSASS to extract sensitive information, such as user credentials (passwords, NTLM hashes, Kerberos tickets).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e The attacker uses the stolen credentials to move laterally to other systems on the network, gaining access to additional resources and expanding their control.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence (Optional):\u003c/strong\u003e The attacker may establish persistence mechanisms to maintain access to the compromised systems, ensuring they can return even if the initial entry point is detected.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e The attacker achieves their final objectives, which could include data theft, system disruption, or deployment of ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the compromise of user accounts, including those with administrative privileges. This allows attackers to move laterally within the network, access sensitive data, and potentially disrupt critical business operations. The impact can range from data breaches and financial losses to reputational damage and regulatory penalties. While the exact number of victims and sectors targeted can vary, the potential for widespread compromise makes this a critical threat to monitor.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect LSASS Process Access\u003c/code\u003e to your SIEM to identify processes attempting to access LSASS memory via \u003ccode\u003eOpenProcess\u003c/code\u003e or \u003ccode\u003eOpenThread\u003c/code\u003e. Tune the rule based on your environment to reduce false positives.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to ensure the necessary event data is available for the Sigma rules to function correctly.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u003ccode\u003eDetect LSASS Process Access\u003c/code\u003e rule, focusing on the process execution chain and the requested access rights to the LSASS process. Reference the Microsoft documentation on process security and access rights to interpret the access rights (\u003ccode\u003eprocess.Ext.api.parameters.desired_access\u003c/code\u003e field).\u003c/li\u003e\n\u003cli\u003eMonitor network connections originating from processes that have accessed LSASS, as this could indicate lateral movement or exfiltration of stolen credentials.\u003c/li\u003e\n\u003cli\u003eImplement the Osquery queries described in the source document to identify potentially suspicious services running on user accounts or unsigned executables.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-lsass-process-access/","summary":"Detects suspicious access to the LSASS process via Windows API calls, potentially indicating credential dumping and subsequent lateral movement.","title":"LSASS Process Access via Windows API","url":"https://feed.craftedsignal.io/briefs/2024-01-lsass-process-access/"}],"language":"en","title":"CraftedSignal Threat Feed - Process-Access","version":"https://jsonfeed.org/version/1.1"}