Suspicious Parent Spawning LsaIso

Prerequisite:

The rule requires Sysmon to be enabled for proper functioning.

Rule type:

Correlation

Rule description:

This rule monitors cases where a process other than the legitimate LSA Isolation process (lsaIso.exe) spawns a new lsaIso process. LsaIso is involved in user privilege management, and suspicious spawning could indicate attempts to tamper with those privileges.

Data source:

Windows: Network traffic, process, kernel

Relevant MITRE ATT&CK techniques and tactics:

Tactics: TA0006 - Credential Access

Techniques: T1003 - OS Credential Dumping

Sub-techniques: T1003.004 - LSA Secrets

Criteria:

Suspicious parent spawning LsaIso.exe:

• This rule checks for the spawning of "LsaIso.exe".
• It considers it suspicious if the parent process is not one of the legitimate wininit.exe locations (Windows\System32\wininit.exe, Windows\SysWow64\wininit.exe, or WINNT\system32\wininit.exe).

When to enable this rule:

Enable this rule when the user wants to detect potential lateral movement or privilege escalation attacks through malware installation, with a specific focus on suspicious parent processes spawning lsaIso.

Compliance mapping (NIST, CIS):

• NIST CSF: DE.AE (Detection Processes) for detecting unusual activities involving the LSA Isolated Mode process.
• CIS Control: 8 (Malware Defense) to secure the isolated Local Security Authority process from unauthorized access or manipulation.

Next steps:

Upon triggering this alert, the following actions can be taken:

• Identification: Mark this alert as a part of an existing incident or initiate a new incident. Assign the incident to an analyst for in-depth examination.
• Analysis: Conduct an impact investigation and thoroughly analyze the degree of compromise utilizing the Incident Workbench to gain insights into the threat's severity.
• Response: Initiate automated workflow execution to swiftly terminate the identified malicious process, leveraging Workflows for prompt mitigation.