{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/seclogon/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["credential-access","lsass","seclogon","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis threat leverages the Windows Secondary Logon service (seclogon.dll) to gain unauthorized access to the Local Security Authority Subsystem Service (LSASS) process. The attack involves manipulating the seclogon service to leak an LSASS handle, which can then be used to extract credentials. This technique is often employed as a precursor to credential dumping and lateral movement within a compromised network. The detection focuses on identifying specific call traces to seclogon.dll coupled with suspicious access rights (0x14c0) when accessing LSASS, originating from svchost.exe. Defenders should monitor for this activity as it indicates a potential attempt to compromise sensitive credentials stored within LSASS memory.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system (e.g., via phishing or exploitation of a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker executes code within the context of a user account.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the Secondary Logon service (seclogon.dll) to request access to LSASS.\u003c/li\u003e\n\u003cli\u003eThe malicious code interacts with the seclogon service to obtain a handle to the LSASS process with specific access rights (0x14c0), typically from a svchost.exe process.\u003c/li\u003e\n\u003cli\u003eThe seclogon service, acting on behalf of the attacker, grants access to LSASS.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the leaked LSASS handle to read memory contents.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts sensitive information, such as user credentials (passwords, NTLM hashes, Kerberos tickets), from the LSASS memory.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials for lateral movement, privilege escalation, or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to steal user credentials, leading to unauthorized access to sensitive systems and data. This can result in data breaches, financial losses, and reputational damage. The compromise of domain administrator credentials can grant the attacker complete control over the entire Windows domain.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation logging (event ID 1) and process access logging (event ID 10) to detect suspicious LSASS handle access.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Suspicious Lsass Handle Access via MalSecLogon\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the call trace, access rights, and source process.\u003c/li\u003e\n\u003cli\u003eMonitor authentication events for signs of credential misuse following suspicious LSASS access.\u003c/li\u003e\n\u003cli\u003eReview local administrator and debug-privilege exposure, LSASS protection such as RunAsPPL or Credential Guard where supported, and Secondary Logon service necessity on critical servers\u003c/li\u003e\n\u003cli\u003eBlock the GrantedAccess value \u0026ldquo;0x14c0\u0026rdquo; in conjunction with CallTrace \u0026ldquo;\u003cem\u003eseclogon.dll\u003c/em\u003e\u0026rdquo; when the TargetImage is \u0026ldquo;lsass.exe\u0026rdquo; (Sysmon Event ID 10).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"/briefs/2024-01-mal-seclogon-lsass/","summary":"An attacker abuses the Secondary Logon service (seclogon.dll) to gain unauthorized access to the LSASS process, potentially leaking credentials.","title":"Suspicious LSASS Access via Malicious Secondary Logon Service","url":"https://feed.craftedsignal.io/briefs/2024-01-mal-seclogon-lsass/"}],"language":"en","title":"CraftedSignal Threat Feed — Seclogon","version":"https://jsonfeed.org/version/1.1"}