<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Process-Access - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/process-access/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/process-access/feed.xml" rel="self" type="application/rss+xml"/><item><title>LSASS Process Access via Windows API</title><link>https://feed.craftedsignal.io/briefs/2024-01-lsass-process-access/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-lsass-process-access/</guid><description>Detects suspicious access to the LSASS process via Windows API calls, potentially indicating credential dumping and subsequent lateral movement.</description><content:encoded><![CDATA[<p>This detection rule identifies attempts to access the Local Security Authority Subsystem Service (LSASS) process by monitoring for specific Windows API calls: <code>OpenProcess</code>, <code>OpenThread</code>, and <code>ReadProcessMemory</code>. The LSASS process is a critical Windows component that manages user authentication and security policies. Attackers often target LSASS to dump credentials stored in its memory, which can then be used for lateral movement, privilege escalation, and domain compromise. The rule aims to detect unauthorized access attempts indicative of credential access techniques, specifically targeting the lsass.exe process. This is important for defenders because successful credential dumping can lead to widespread compromise of sensitive resources.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access:</strong> The attacker gains initial access to the system through various means (e.g., phishing, exploitation of vulnerabilities, or compromised credentials).</li>
<li><strong>Execution:</strong> The attacker executes a malicious process or script on the compromised system. This process could be a custom tool, a publicly available credential dumping tool (e.g., Mimikatz), or a script designed to interact with the Windows API.</li>
<li><strong>Privilege Escalation (If Necessary):</strong> The attacker may need to escalate privileges to gain sufficient access to LSASS. This could involve exploiting system vulnerabilities or using techniques like token impersonation.</li>
<li><strong>LSASS Handle Access:</strong> The malicious process uses the <code>OpenProcess</code> or <code>OpenThread</code> API calls to obtain a handle to the LSASS process (<code>lsass.exe</code>). The <code>ReadProcessMemory</code> API is then called to read the contents of the LSASS process's memory.</li>
<li><strong>Credential Extraction:</strong> The attacker parses the memory contents of LSASS to extract sensitive information, such as user credentials (passwords, NTLM hashes, Kerberos tickets).</li>
<li><strong>Lateral Movement:</strong> The attacker uses the stolen credentials to move laterally to other systems on the network, gaining access to additional resources and expanding their control.</li>
<li><strong>Persistence (Optional):</strong> The attacker may establish persistence mechanisms to maintain access to the compromised systems, ensuring they can return even if the initial entry point is detected.</li>
<li><strong>Impact:</strong> The attacker achieves their final objectives, which could include data theft, system disruption, or deployment of ransomware.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation can lead to the compromise of user accounts, including those with administrative privileges. This allows attackers to move laterally within the network, access sensitive data, and potentially disrupt critical business operations. The impact can range from data breaches and financial losses to reputational damage and regulatory penalties. While the exact number of victims and sectors targeted can vary, the potential for widespread compromise makes this a critical threat to monitor.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>Detect LSASS Process Access</code> to your SIEM to identify processes attempting to access LSASS memory via <code>OpenProcess</code> or <code>OpenThread</code>. Tune the rule based on your environment to reduce false positives.</li>
<li>Enable Sysmon process creation logging to ensure the necessary event data is available for the Sigma rules to function correctly.</li>
<li>Investigate any alerts generated by the <code>Detect LSASS Process Access</code> rule, focusing on the process execution chain and the requested access rights to the LSASS process. Reference the Microsoft documentation on process security and access rights to interpret the access rights (<code>process.Ext.api.parameters.desired_access</code> field).</li>
<li>Monitor network connections originating from processes that have accessed LSASS, as this could indicate lateral movement or exfiltration of stolen credentials.</li>
<li>Implement the Osquery queries described in the source document to identify potentially suspicious services running on user accounts or unsigned executables.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>credential-access</category><category>lsass</category><category>windows</category><category>process-access</category></item></channel></rss>