Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Tuning] Suspicious Lsass Process Access #4188

Merged
merged 2 commits into from
Nov 7, 2024
Merged
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
Update credential_access_suspicious_lsass_access_generic.toml
Samirbous authored Oct 21, 2024

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
commit 4e258de3e62a1afd6119aaf297b170d532aba7d5
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2023/01/22"
integration = ["windows"]
maturity = "production"
updated_date = "2024/10/15"
updated_date = "2024/10/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."

Expand Down Expand Up @@ -51,14 +51,25 @@ process where host.os.type == "windows" and event.code == "10" and
"?:\\Windows\\LTSvc\\LTSVC.exe",
"?:\\Windows\\Sysmon.exe",
"?:\\Windows\\Sysmon64.exe",
"C:\\Windows\\CynetMS.exe",
"?:\\Windows\\system32\\csrss.exe",
"?:\\Windows\\System32\\lsm.exe",
"?:\\Windows\\system32\\MRT.exe",
"?:\\Windows\\System32\\msiexec.exe",
"?:\\Windows\\system32\\wbem\\wmiprvse.exe",
"?:\\Windows\\system32\\wininit.exe",
"?:\\Windows\\SystemTemp\\GUM*.tmp\\GoogleUpdate.exe",
"?:\\Windows\\sysWOW64\\wbem\\wmiprvse.exe"
"?:\\Windows\\sysWOW64\\wbem\\wmiprvse.exe",
"C:\\oracle\\64\\02\\instantclient_19_13\\sqlplus.exe",
"C:\\oracle\\64\\02\\instantclient_19_13\\sqlldr.exe",
"d:\\oracle\\product\\19\\dbhome1\\bin\\ORACLE.EXE",
"C:\\wamp\\bin\\apache\\apache*\\bin\\httpd.exe",
"C:\\Windows\\system32\\netstat.exe",
"C:\\PROGRA~1\\INFORM~1\\apps\\jdk\\*\\jre\\bin\\java.exe",
"C:\\PROGRA~2\\CyberCNSAgentV2\\osqueryi.exe",
"C:\\Utilityw2k19\\packetbeat\\packetbeat.exe",
"C:\\ProgramData\\Cisco\\Cisco AnyConnect Secure Mobility Client\\Temp\\CloudUpdate\\vpndownloader.exe",
"C:\\ProgramData\\Cisco\\Cisco Secure Client\\Temp\\CloudUpdate\\vpndownloader.exe"
) and
not winlog.event_data.CallTrace : ("*mpengine.dll*", "*appresolver.dll*", "*sysmain.dll*")
'''
Expand Down