Unsigned Image Loaded by LSASS

Original Source: [splunk source]
Name:Unsigned Image Loaded by LSASS
id:56ef054c-76ef-45f9-af4a-a634695dcd65
version:3
date:2024-10-17
author:Patrick Bareiss, Splunk
status:deprecated
type:TTP
Description:This search detects loading of unsigned images by LSASS. Deprecated because too noisy.
Data_source:
  • -Sysmon EventID 7
search:`sysmon` EventID=7 Image=*lsass.exe Signed=false
| stats count min(_time) as firstTime max(_time) as lastTime by dest, Image, ImageLoaded, Signed, SHA1
| `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`
| `unsigned_image_loaded_by_lsass_filter`


how_to_implement:This search needs Sysmon Logs with a sysmon configuration, which includes EventCode 7 with lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.
known_false_positives:Other tools could load images into LSASS for legitimate reason. But enterprise tools should always use signed DLLs.
References:
  -https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf
drilldown_searches:
  :
tags:
  analytic_story:
    - 'Credential Dumping'
  asset_type:Windows
  confidence:50
  impact:50
  message:tbd
  mitre_attack_id:
    - 'T1003.001'
  observable:
    name:'dest'
    type:'Hostname'
    - role:
      - 'Victim'
  product:
    - 'Splunk Enterprise'
    - 'Splunk Enterprise Security'
    - 'Splunk Cloud'
  required_fields:
    - '_time'
  risk_score:25
  security_domain:endpoint

tests:
  :
manual_test:None

Related Analytic Stories


Credential Dumping