Attack Chain

1. The attacker gains initial access to the system (e.g., via phishing or exploitation of a vulnerability).
2. The attacker executes code within the context of a user account.
3. The attacker leverages the Secondary Logon service (seclogon.dll) to request access to LSASS.
4. The malicious code interacts with the seclogon service to obtain a handle to the LSASS process with specific access rights (0x14c0), typically from a svchost.exe process.
5. The seclogon service, acting on behalf of the attacker, grants access to LSASS.
6. The attacker uses the leaked LSASS handle to read memory contents.
7. The attacker extracts sensitive information, such as user credentials (passwords, NTLM hashes, Kerberos tickets), from the LSASS memory.
8. The attacker uses the stolen credentials for lateral movement, privilege escalation, or data exfiltration.

Impact

Successful exploitation allows attackers to steal user credentials, leading to unauthorized access to sensitive systems and data. This can result in data breaches, financial losses, and reputational damage. The compromise of domain administrator credentials can grant the attacker complete control over the entire Windows domain.

Recommendation

• Enable Sysmon process creation logging (event ID 1) and process access logging (event ID 10) to detect suspicious LSASS handle access.
• Deploy the Sigma rule “Suspicious Lsass Handle Access via MalSecLogon” to your SIEM and tune for your environment.
• Investigate any alerts generated by the Sigma rule, focusing on the call trace, access rights, and source process.
• Monitor authentication events for signs of credential misuse following suspicious LSASS access.
• Review local administrator and debug-privilege exposure, LSASS protection such as RunAsPPL or Credential Guard where supported, and Secondary Logon service necessity on critical servers
• Block the GrantedAccess value “0x14c0” in conjunction with CallTrace “seclogon.dll” when the TargetImage is “lsass.exe” (Sysmon Event ID 10).