From e199db5bdbe1b1ec5afa95c227c9fef7a2ed91a5 Mon Sep 17 00:00:00 2001 From: rabbitstack Date: Thu, 27 Mar 2025 22:25:34 +0100 Subject: [PATCH] feat(rules): LSASS handle leak via Seclogon Identifies suspicious access to LSASS process from a callstack pointing to seclogon.dll that may indicate an attempt to leak an LSASS handle via abusing the Secondary Logon service in preparation for credential access. --- ..._access_lsass_handle_leak_via_seclogon.yml | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 rules/credential_access_lsass_handle_leak_via_seclogon.yml diff --git a/rules/credential_access_lsass_handle_leak_via_seclogon.yml b/rules/credential_access_lsass_handle_leak_via_seclogon.yml new file mode 100644 index 000000000..920d2175a --- /dev/null +++ b/rules/credential_access_lsass_handle_leak_via_seclogon.yml @@ -0,0 +1,28 @@ +name: LSASS handle leak via Seclogon +id: 5d55c938-875e-49e1-ae53-fa196d4445eb +version: 1.0.0 +description: | + Identifies suspicious access to LSASS process from a callstack pointing to seclogon.dll that + may indicate an attempt to leak an LSASS handle via abusing the Secondary Logon service in + preparation for credential access. +labels: + tactic.id: TA0006 + tactic.name: Credential Access + tactic.ref: https://attack.mitre.org/tactics/TA0006/ + technique.name: OS Credential Dumping + technique.ref: https://attack.mitre.org/techniques/T1003/ + subtechnique.id: T1003.001 + subtechnique.name: LSASS Memory + subtechnique.ref: https://attack.mitre.org/techniques/T1003/001/ +references: + - https://github.com/antonioCoco/MalSeclogon + - https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html + +condition: > + open_process and kevt.arg[exe] imatches '?:\\Windows\\System32\\lsass.exe' and ps.name ~= 'svchost.exe' + and + ps.access.mask.names in ('CREATE_PROCESS', 'DUP_HANDLE') and thread.callstack.modules imatches ('*seclogon.dll') + +severity: high + +min-engine-version: 2.4.0