HUNTS- LSASS Driver (T1177)

HUNTS- LSASS Driver (T1177)

Version 1.0

ATT&CK Technique: LSASS Driver (T1177)

What this playbook hunts for:

• Failed driver loads by lsass.exe. To achieve persistence and execute malicious code, attackers may attempt to inject malicious code into DLLs loaded by lsass.exe or replace legitimate DLLs with malicious versions. Certain Windows security settings prevent this occurrence and generate logs indicating illegitimate and unsigned DLLs were prevented from being loaded by lsass.exe.

• Execution of an illegitimate lsass.exe process. To achieve persistence and execute malicious code, attackers may attempt to replace or duplicate the lsass.exe binary on a system.

• DLLs loaded by an illegitimate lsass.exe process. To achieve persistence and execute malicious code, attackers may attempt to use an illegitimate lsass.exe binary to execute malicious DLLs with system permissions.

• Illegitimate DLLs loaded by lsass.exe. Several techniques exist that could potentially enable an attacker to load illegitimate DLLs into a legitimate copy of lsass.exe. Doing such would give an attacker a method of execution and persistence.

How the playbook works:

• Generates SIEM query for Windows Event Code 3033 and Windows Event Code 3063

• Generates SIEM query for Sysmon Event ID 1 logs where lsass.exe is executed outside of Windows system directories

• Generates SIEM query for Sysmon Event ID 7 logs where a DLL is loaded by lsass.exe that resides outside of Windows system directories

• Generates SIEM query for Sysmon Event ID 7 logs where a DLL that resides outside of Windows system directories is loaded by lsass.exe

What results are expected:

• Name, process ID, and path of the illegitimate lsass.exe process.

• Command line arguments for lsass.exe

• DLL loaded by lsass.exe

• MD5 hash of the lsass.exe process

• Hostname of the computer where the LSASS driver was loaded

• User account that was used to execute an illegitimate copy of lsass.exe

Common follow-on actions:

• Acquire forensic image

• Sandbox file

• Get running processes

• Get network connections

• Quarantine host

What inputs are necessary:

• SIEM

• Logs: Windows Event Code 3033

• Logs: Windows Event Code 3063

• Logs: Sysmon Event ID 1: Process creation

• Logs: Sysmon Event ID 7: Image loaded

• Hunt start time

What subroutine playbooks are needed:

• Create and Link Alerts from Hunt (Host-based)

What configurations are needed:

• Sysmon logging with EVENT ID 7 enabled.

False Positive Potential: Low

• Execution of lsass.exe outside of system directories is uncommon and noteworthy.

Notes:

• It is highly recommended that whitelisting is added to the organization’s Sysmon configuration when EVENT ID 7 logging is enabled. Many Windows processes, common user programs, and security tools routinely load DLLs that can trigger high volumes of logs.