Suspicious Parent Spawning Lsass

Rule added on 20th February, 2024

Prerequisite:

The rule requires Sysmon/auditing to be enabled for proper functioning.

Rule type:

Correlation

Rule description:

This rule monitors for instances where a process unrelated to the legitimate Local Security Authority Server (lsass.exe) creates a new lsass process. Attackers might try to mimic lsass to steal credentials or manipulate security policies.

Data source:

Windows: Network traffic, process, kernel

Relevant MITRE ATT&CK techniques and tactics:

Tactics: TA0004 - Privilege Escalation, TA0005 - Defense Evasion

Techniques: T1134 - Access Token Manipulation, T1055 - Process Injection

Sub-techniques: T1134.004 - Parent PID Spoofing, T1055.012 - Process Hollowing

Criteria:

This rule targets processes ending with "lsass.exe" (including paths).

It marks the spawn as suspicious if the parent is not one of the legitimate wininit.exe locations (Windows\System32\wininit.exe, Windows\SysWow64\wininit.exe, or WINNT\system32\wininit.exe).

When to enable this rule:

Enable this rule when the user wants to identify potential credential theft attempts facilitated by malware installation, particularly focusing on suspicious parent processes spawning lsass.

Next steps:

Upon triggering this alert, the following actions can be taken:

  • Identification: Mark this alert as a part of an existing incident or initiate a new incident. Assign the incident to an analyst for in-depth examination.
  • Analysis: Conduct an impact investigation and thoroughly analyze the degree of compromise utilizing the Incident Workbench to gain insights into the threat's severity.
  • Response: Initiate automated workflow execution to swiftly terminate the identified malicious process, leveraging Workflows for prompt mitigation.