Name:Unsigned Image Loaded by LSASS id:56ef054c-76ef-45f9-af4a-a634695dcd65 version:3 date:2024-10-17 author:Patrick Bareiss, Splunk status:deprecated type:TTP Description:This search detects loading of unsigned images by LSASS. Deprecated because too noisy. Data_source:
-Sysmon EventID 7
search:`sysmon` EventID=7 Image=*lsass.exe Signed=false | stats count min(_time) as firstTime max(_time) as lastTime by dest, Image, ImageLoaded, Signed, SHA1 | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `unsigned_image_loaded_by_lsass_filter`
how_to_implement:This search needs Sysmon Logs with a sysmon configuration, which includes EventCode 7 with lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives. known_false_positives:Other tools could load images into LSASS for legitimate reason. But enterprise tools should always use signed DLLs. References: -https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf drilldown_searches:
: tags: analytic_story: - 'Credential Dumping' asset_type:Windows confidence:50 impact:50 message:tbd mitre_attack_id: - 'T1003.001' observable: name:'dest' type:'Hostname' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' risk_score:25 security_domain:endpoint