From 5db62014aa18fbdbcddd76c82eb9662a9de6fae0 Mon Sep 17 00:00:00 2001
From: rabbitstack <rabbitstack7@gmail.com>
Date: Thu, 27 Mar 2025 18:26:55 +0100
Subject: [PATCH] feat(rules): LSASS access from unsigned executable

Detects attempts by an unsigned process to access the Local Security Authority Subsystem Service (LSASS). Adversaries may try to dump credential information stored in the process memory of LSASS.
---
 ..._lsass_access_from_unsigned_executable.yml | 32 +++++++++++++++++++
 rules/macros/macros.yml                       |  6 ++++
 2 files changed, 38 insertions(+)
 create mode 100644 rules/credential_access_lsass_access_from_unsigned_executable.yml

diff --git a/rules/credential_access_lsass_access_from_unsigned_executable.yml b/rules/credential_access_lsass_access_from_unsigned_executable.yml
new file mode 100644
index 000000000..66329dfff
--- /dev/null
+++ b/rules/credential_access_lsass_access_from_unsigned_executable.yml
@@ -0,0 +1,32 @@
+name: LSASS access from unsigned executable
+id: 348bf896-2201-444f-b1c9-e957a1f063bf
+version: 1.0.0
+description: |
+  Detects attempts by an unsigned process to access the Local Security Authority Subsystem Service (LSASS). 
+  Adversaries may try to dump credential information stored in the process memory of LSASS.
+labels:
+  tactic.id: TA0006
+  tactic.name: Credential Access
+  tactic.ref: https://attack.mitre.org/tactics/TA0006/
+  technique.name: OS Credential Dumping
+  technique.ref: https://attack.mitre.org/techniques/T1003/
+  subtechnique.id: T1003.001
+  subtechnique.name: LSASS Memory
+  subtechnique.ref: https://attack.mitre.org/techniques/T1003/001/
+references:
+  - https://redcanary.com/threat-detection-report/techniques/lsass-memory/
+
+condition: >
+  sequence
+  maxspan 7m
+  by ps.uuid
+    |load_unsigned_executable|
+    |((open_process) or (open_thread)) and kevt.arg[exe] imatches '?:\\Windows\\System32\\lsass.exe'|
+action:
+  - name: kill
+
+output: >
+  Unsigned executable %1.image.path attempted to access Local Security Authority Subsystem Service
+severity: high
+
+min-engine-version: 2.2.0
diff --git a/rules/macros/macros.yml b/rules/macros/macros.yml
index ac8c9ec75..b916aa575 100644
--- a/rules/macros/macros.yml
+++ b/rules/macros/macros.yml
@@ -150,6 +150,12 @@
   expr: >
     load_module and (image.name iendswith '.dll' or image.is_dll)
 
+- macro: load_unsigned_executable
+  expr: >
+    load_executable
+      and
+    image.signature.type = 'NONE'
+
 - macro: load_untrusted_executable
   expr: >
     load_executable