My First Sigma Detection Rule: LSASS Access
Recently I've been analyzing an APT attack dataset. I encountered some advanced methods of how APTs get into a system, how they maintain persistence, perform lateral movement, and execute payloads.
While working on this dataset, it took me days to understand techniques that attackers can execute in seconds. So I thought, why not create Sigma detection rules for threats that look legitimate but carry malicious intent?
So, here am I with my first detection rule, "Suspicious Process Access to LSASS with Full Permissions."
What it does
- Detects Powershell.exe or cmd.exe accessing lsass.exe with full or near full access rights, indicating potential credential dumping activity.
Possible False Positive
- Security monitoring tools
- Administrative Powershell scripts performing legitimate system checks
What I did
- Created and validated the Sigma rule
- Converted it into SPL
- Tested it successfully
Rule Link
- You can find it on my github
I’ll be adding more detection rules soon.
Feedback
- If you have suggestions or improvements, I’d really like to hear them.
And if you’re working on similar detections, feel free to connect.