{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/security-event/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["credential-dumping","post-exploitation","windows","security-event"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis brief details a critical detection capability aimed at identifying credential dumping attempts on Windows systems. Threat actors frequently target the Local Security Authority Subsystem Service (LSASS) process to extract cached credentials, which can then be used for lateral movement, privilege escalation, and persistent access. The detection focuses on suspicious access mask requests to the LSASS process (lsass.exe). While legitimate processes, especially security products, may access LSASS, specific combinations of access rights and process names are highly indicative of malicious activity. This detection leverages Windows Security Event IDs 4656 and 4663, which log handle requests and object access attempts, to pinpoint anomalous interactions with LSASS. Implementing this detection helps defenders uncover post-exploitation activities and prevent further compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003eThis brief focuses on a specific post-exploitation technique rather than a full attack chain:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access (Prerequisite)\u003c/strong\u003e: An attacker gains initial access to a target Windows system through various means (e.g., phishing, exploiting a vulnerable service, RDP brute-force).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation\u003c/strong\u003e: The attacker achieves local administrator or SYSTEM privileges, which are often necessary to interact with the LSASS process.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLSASS Process Targeting\u003c/strong\u003e: The attacker's malicious tool (e.g., Mimikatz, procdump) attempts to open a handle to the \u003ccode\u003elsass.exe\u003c/code\u003e process.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSuspicious Access Request\u003c/strong\u003e: The tool requests specific, often broad or highly privileged, access masks (e.g., \u003ccode\u003e0x40\u003c/code\u003e, \u003ccode\u003e0x1400\u003c/code\u003e, \u003ccode\u003e0x100000\u003c/code\u003e, \u003ccode\u003e0x1f0fff\u003c/code\u003e) to the LSASS process memory. These access masks allow reading or controlling the process's memory.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Dumping\u003c/strong\u003e: Upon successful handle acquisition, the tool reads the LSASS memory to extract cached user credentials, NTLM hashes, or Kerberos tickets.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement / Persistence\u003c/strong\u003e: The stolen credentials are then used to authenticate to other systems on the network, escalate privileges further, or establish persistence.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful credential dumping from LSASS allows attackers to obtain highly sensitive user credentials, including those of domain administrators. This enables unfettered lateral movement across the network, privilege escalation, and access to critical resources and data. The impact can range from complete domain compromise to widespread data exfiltration, system destruction, or deployment of ransomware. Organizations could face significant financial losses due to operational disruption, data recovery costs, regulatory fines, and reputational damage. Detecting and responding to these attempts is crucial to preventing broader compromises.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM solution to detect suspicious access to the LSASS process.\u003c/li\u003e\n\u003cli\u003eEnsure Windows Security Event logging (specifically Event IDs 4656 and 4663) is enabled and configured to capture object access attempts on your endpoints.\u003c/li\u003e\n\u003cli\u003eReview and tune the \u003ccode\u003efilter_main_*\u003c/code\u003e and \u003ccode\u003efilter_optional_*\u003c/code\u003e sections of the Sigma rule by adding legitimate internal security tools or processes that interact with LSASS for monitoring or management purposes, to reduce false positives.\u003c/li\u003e\n\u003cli\u003eInvestigate all \u003ccode\u003emedium\u003c/code\u003e severity alerts generated by this rule immediately, as they indicate potential credential dumping attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T14:06:04Z","date_published":"2026-07-03T14:06:04Z","id":"https://feed.craftedsignal.io/briefs/2026-07-lsass-access-mask/","summary":"This brief describes the detection of suspicious access mask requests to the Local Security Authority Subsystem Service (LSASS) process, a common post-exploitation technique used by threat actors for credential dumping on Windows systems.","title":"Potentially Suspicious AccessMask Requested From LSASS","url":"https://feed.craftedsignal.io/briefs/2026-07-lsass-access-mask/"}],"language":"en","title":"CraftedSignal Threat Feed - Security-Event","version":"https://jsonfeed.org/version/1.1"}