Rule Description
This rule is meant to provide an example of using a template in a report name (see Respond block below) to extract key fields from within the event that triggered the detection. Read more about template strings in our docs.
The detection logic could also inspire on how to operationalize the SENSITIVE_PROCESS_ACCESS event to look for unusual behaviors akin to credential theft tools such as mimikatz, and similar.
You’d first want to baseline this activity in your environment, then use this baseline to inform the SOURCE exclusions outlined in the Detect logic below.
Example baseline LCQL Query
-24h | * | SENSITIVE_PROCESS_ACCESS | event/*/event/TARGET/FILE_PATH contains "lsass" | ts as Timestamp event/*/event/SOURCE/FILE_PATH as SOURCE event/*/event/TARGET/FILE_PATH as TARGET
Detect
event: SENSITIVE_PROCESS_ACCESS
op: and
rules:
- op: ends with
path: event/*/event/TARGET/FILE_PATH
value: lsass.exe
case sensitive: false
- op: ends with
not: true
path: event/*/event/SOURCE/FILE_PATH
value: system32\MRT.exe
case sensitive: false
- op: ends with
not: true
path: event/*/event/SOURCE/FILE_PATH
value: system32\csrss.exe
case sensitive: false
- op: ends with
not: true
path: event/*/event/SOURCE/FILE_PATH
value: windows\sysmon.exe
case sensitive: false
Respond
- action: report
name: Suspicious LSASS Access by {{ index (index .event.EVENTS 1) "event" "SOURCE" "FILE_PATH" }}
Notice template string within report name, which will evaluate to the SOURCE PROCESS of the activity
Test Event Target(s)
{
"event": {
"EVENTS": [
{
"event": {
"BASE_ADDRESS": 140700034269184,
"COMMAND_LINE": "C:\\Windows\\system32\\lsass.exe",
"CREATION_TIME": 1739810602801,
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Windows\\system32\\lsass.exe",
"HASH": "e69356111240657e6435edf2e3a4bbac9c89957ef2d34fc620b8b7dbf564a862",
"MEMORY_USAGE": 24686592,
"PARENT": {
"FILE_IS_SIGNED": 1,
"FILE_PATH": "\\Device\\HarddiskVolume3\\Windows\\System32\\wininit.exe",
"HASH": "fe7a0b26e504062b3a424d540e3f1f5cab8f2db5a421fbbb8b779122d11bd2af",
"MEMORY_USAGE": 7094272,
"PARENT_PROCESS_ID": 408,
"PROCESS_ID": 484,
"THIS_ATOM": "f756455a8e2bb5340f959ade67b36b38",
"THREADS": 1,
"TIMESTAMP": 1739811640783,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
},
"PARENT_PROCESS_ID": 484,
"PROCESS_ID": 648,
"THREADS": 10,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
},
"routing": {
"arch": 2,
"did": "",
"event_id": "c92d5fd6-15e5-4b8d-8d76-ec6197002f33",
"event_time": 1739811640968,
"event_type": "EXISTING_PROCESS",
"ext_ip": "35.202.185.98",
"hostname": "it-01.initechsw.com",
"iid": "977077fa-c52c-408b-b04e-f97902114203",
"int_ip": "10.127.0.101",
"moduleid": 2,
"oid": "7a6d3e19-62a6-428b-ae26-fb0ba8ca7f33",
"parent": "f756455a8e2bb5340f959ade67b36b38",
"plat": 268435456,
"sid": "b7ef0b6b-4576-493b-b24b-6c39f3146f69",
"tags": [
"windows"
],
"this": "12f114c34764cd0cffeed85767b36b38"
}
},
{
"event": {
"ACCESS_FLAGS": 4112,
"PARENT_PROCESS_ID": 60,
"PROCESS_ID": 648,
"SOURCE": {
"BASE_ADDRESS": 140700137619456,
"COMMAND_LINE": "C:\\Windows\\system32\\rundll32.exe",
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Windows\\system32\\rundll32.exe",
"HASH": "b53f3c0cd32d7f20849850768da6431e5f876b7bfa61db0aa0700b02873393fa",
"MEMORY_USAGE": 8998912,
"PARENT_ATOM": "e59863191bb4e05b5fac859967b4d29d",
"PARENT_PROCESS_ID": 10652,
"PROCESS_ID": 60,
"THIS_ATOM": "7a7bffbf9e27db4f6af8dca267b50ae8",
"THREADS": 3,
"TIMESTAMP": 1739918056451,
"USER_NAME": "INITECHSW\\Lewis.Douglas"
},
"TARGET": {
"BASE_ADDRESS": 140700034269184,
"COMMAND_LINE": "C:\\Windows\\system32\\lsass.exe",
"CREATION_TIME": 1739810602801,
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Windows\\system32\\lsass.exe",
"HASH": "e69356111240657e6435edf2e3a4bbac9c89957ef2d34fc620b8b7dbf564a862",
"MEMORY_USAGE": 24686592,
"PARENT_ATOM": "f756455a8e2bb5340f959ade67b36b38",
"PARENT_PROCESS_ID": 484,
"PROCESS_ID": 648,
"THIS_ATOM": "12f114c34764cd0cffeed85767b36b38",
"THREADS": 10,
"TIMESTAMP": 1739811640968,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
}
},
"routing": {
"arch": 2,
"did": "",
"event_id": "13194933-bbeb-41d4-b528-a264baf27a6c",
"event_time": 1739918057071,
"event_type": "REMOTE_PROCESS_HANDLE",
"ext_ip": "35.202.185.98",
"hostname": "it-01.initechsw.com",
"iid": "977077fa-c52c-408b-b04e-f97902114203",
"int_ip": "10.127.0.101",
"moduleid": 2,
"oid": "7a6d3e19-62a6-428b-ae26-fb0ba8ca7f33",
"parent": "7a7bffbf9e27db4f6af8dca267b50ae8",
"plat": 268435456,
"sid": "b7ef0b6b-4576-493b-b24b-6c39f3146f69",
"tags": [
"windows"
],
"target": "12f114c34764cd0cffeed85767b36b38",
"this": "9952ffddfc694e59677b320567b50ae9"
}
}
]
},
"routing": {
"arch": 2,
"did": "",
"event_id": "5dbcfd80-0dc0-4efb-944a-e96347184827",
"event_time": 1739918057892,
"event_type": "SENSITIVE_PROCESS_ACCESS",
"ext_ip": "35.202.185.98",
"hostname": "it-01.initechsw.com",
"iid": "977077fa-c52c-408b-b04e-f97902114203",
"int_ip": "10.127.0.101",
"moduleid": 2,
"oid": "7a6d3e19-62a6-428b-ae26-fb0ba8ca7f33",
"parent": "7a7bffbf9e27db4f6af8dca267b50ae8",
"plat": 268435456,
"sid": "b7ef0b6b-4576-493b-b24b-6c39f3146f69",
"tags": [
"windows"
],
"target": "12f114c34764cd0cffeed85767b36b38",
"this": "dea09b614788986f6d2781ec67b50ae9"
},
"ts": "2025-02-18 22:34:17"
}