LSASS Access Detected via Attack Surface Reduction

Detects Access to LSASS Process

Rule Content

- title: LSASS Access Detected via Attack Surface Reduction
  id: a0a278fe-2c0e-4de2-ac3c-c68b08a9ba98
  description: Detects Access to LSASS Process
  status: experimental
  references:
  - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard?WT.mc_id=twitter
  author: Markus Neis
  date: 2018/08/26
  tags:
  - attack.credential_access
  - attack.t1003
  logsource:
    product: windows_defender
    definition: 'Requirements:Enabled Block credential stealing from the Windows local
      security authority subsystem (lsass.exe) from Attack Surface Reduction (GUID:
      9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2)'
    service: null
    category: null
  detection:
    selection:
      EventID: 1121
      Path: '*\lsass.exe'
    condition: selection
  falsepositives:
  - Google Chrome GoogleUpdate.exe
  - Some Taskmgr.exe related activity
  level: high

Querying Elasticsearch

Import Libraries


In [ ]:
from elasticsearch import Elasticsearch
from elasticsearch_dsl import Search
import pandas as pd

Initialize Elasticsearch client


In [ ]:
es = Elasticsearch(['http://helk-elasticsearch:9200'])
searchContext = Search(using=es, index='logs-*', doc_type='doc')

Run Elasticsearch Query


In [ ]:
s = searchContext.query('query_string', query='(event_id:"1121" AND process_path.keyword:*\\lsass.exe)')
response = s.execute()
if response.success():
    df = pd.DataFrame((d.to_dict() for d in s.scan()))

Show Results


In [ ]:
df.head()