SOURCE missing from SENSITIVE_PROCESS_ACCESS

joshlemon · July 22, 2025, 11:50pm

Following on from this comment, it looks like the SOURCE object is missing from the SENSITIVE_PROCESS_ACCESS event.

This means you can’t determine what accessed the sensitive process.

Below is a redacted sample event:

{
  "author": "SoteriaSec",
  "cat": "Suspicious LSASS Access by {{ index (index .event.EVENTS 1) \"event\" \"SOURCE\" \"FILE_PATH\" }}",
  "detect": {
    "event": {
      "EVENTS": [
        {
          "event": {
            "BASE_ADDRESS": 140700205187072,
            "COMMAND_LINE": "C:\\Windows\\system32\\lsass.exe",
            "CREATION_TIME": 1751724076897,
            "FILE_IS_SIGNED": 1,
            "FILE_PATH": "C:\\Windows\\system32\\lsass.exe",
            "HASH": "a4f5fbe1f588c7ac760b0ee406d54e4e02e1acf5efb286abbf75bf9f04bf0485",
            "MEMORY_USAGE": 38899712,
            "PARENT": {
              "FILE_IS_SIGNED": 1,
              "FILE_PATH": "\\Device\\HarddiskVolume4\\Windows\\System32\\wininit.exe",
              "HASH": "9d045793929738aba4a99d3d48dcb9de8ede24ca31b7319b618942fc5eb27e06",
              "MEMORY_USAGE": 7225344,
              "PARENT_PROCESS_ID": 520,
              "PROCESS_ID": 656,
              "THIS_ATOM": "a534f1351f3638c6ea5aca8f68794403",
              "THREADS": 1,
              "TIMESTAMP": 1752777731334,
              "USER_NAME": "NT AUTHORITY\\SYSTEM"
            },
            "PARENT_PROCESS_ID": 656,
            "PROCESS_ID": 792,
            "THREADS": 9,
            "USER_NAME": "NT AUTHORITY\\SYSTEM"
          },
          "routing": {
            "arch": 2,
            "did": "",
            "event_id": "0eaa1f10-d78e-4753-a215-4c5af440d661",
            "event_time": 1752777731584,
            "event_type": "EXISTING_PROCESS",
            "ext_ip": "REDACTED",
            "hostname": "REDACTED",
            "iid": "413e09ec-930d-4976-80e0-677380577b4d",
            "int_ip": "REDACTED",
            "latency": 416662873,
            "moduleid": 2,
            "oid": "ae41fcf5-70a0-4e89-9a97-895d62e0415f",
            "parent": "a534f1351f3638c6ea5aca8f68794403",
            "plat": 268435456,
            "sid": "4de1e678-678b-47c6-8392-4c4396b0b9a4",
            "tags": [
              "lc:latest",
              "server",
              "terminal_server"
            ],
            "this": "fe6bbe167ffb4ced27f4398768794403"
          }
        },
        {
          "event": {
            "ACCESS_FLAGS": 1053712,
            "PARENT_PROCESS_ID": 12588,
            "PROCESS_ID": 792,
            "TARGET": {
              "BASE_ADDRESS": 140700205187072,
              "COMMAND_LINE": "C:\\Windows\\system32\\lsass.exe",
              "CREATION_TIME": 1751724076897,
              "FILE_IS_SIGNED": 1,
              "FILE_PATH": "C:\\Windows\\system32\\lsass.exe",
              "HASH": "a4f5fbe1f588c7ac760b0ee406d54e4e02e1acf5efb286abbf75bf9f04bf0485",
              "MEMORY_USAGE": 38899712,
              "PARENT_ATOM": "a534f1351f3638c6ea5aca8f68794403",
              "PARENT_PROCESS_ID": 656,
              "PROCESS_ID": 792,
              "THIS_ATOM": "fe6bbe167ffb4ced27f4398768794403",
              "THREADS": 9,
              "TIMESTAMP": 1752777731584,
              "USER_NAME": "NT AUTHORITY\\SYSTEM"
            }
          },
          "routing": {
            "arch": 2,
            "did": "",
            "event_id": "fd088519-32c5-453c-8266-7886cf2062c2",
            "event_time": 1753189837397,
            "event_type": "REMOTE_PROCESS_HANDLE",
            "ext_ip": "REDACTED",
            "hostname": "REDACTED",
            "iid": "413e09ec-930d-4976-80e0-677380577b4d",
            "int_ip": "REDACTED",
            "latency": 4557060,
            "moduleid": 2,
            "oid": "ae41fcf5-70a0-4e89-9a97-895d62e0415f",
            "plat": 268435456,
            "sid": "4de1e678-678b-47c6-8392-4c4396b0b9a4",
            "tags": [
              "lc:latest",
              "server",
              "terminal_server"
            ],
            "target": "fe6bbe167ffb4ced27f4398768794403",
            "this": "edced43a870df3ac6432065a687f9f9a"
          }
        }
      ]
    },
    "routing": {
      "arch": 2,
      "did": "",
      "event_id": "529fe0a9-3d8d-4466-8431-f088f8809144",
      "event_time": 1753194394533,
      "event_type": "SENSITIVE_PROCESS_ACCESS",
      "ext_ip": "REDACTED",
      "hostname": "REDACTED",
      "iid": "413e09ec-930d-4976-80e0-677380577b4d",
      "int_ip": "REDACTED",
      "latency": -75,
      "moduleid": 2,
      "oid": "ae41fcf5-70a0-4e89-9a97-895d62e0415f",
      "plat": 268435456,
      "sid": "4de1e678-678b-47c6-8392-4c4396b0b9a4",
      "tags": [
        "lc:latest",
        "server",
        "terminal_server"
      ],
      "target": "fe6bbe167ffb4ced27f4398768794403",
      "this": "f9316ed7ab1392d76c1e4f2a687f9f9a"
    }
  },
  "detect_id": "e2830378-505b-40da-ba7c-0832687f9f9a",
  "gen_time": 1753194394457,
  "link": "https://app.limacharlie.io/orgs/ae41fcf5-70a0-4e89-9a97-895d62e0415f/sensors/4de1e678-678b-47c6-8392-4c4396b0b9a4/timeline?time=1753194394&selected=f9316ed7ab1392d76c1e4f2a687f9f9a",
  "namespace": "general",
  "routing": {
    "arch": 2,
    "did": "",
    "event_id": "529fe0a9-3d8d-4466-8431-f088f8809144",
    "event_time": 1753194394533,
    "event_type": "SENSITIVE_PROCESS_ACCESS",
    "ext_ip": "REDACTED",
    "hostname": "REDACTED",
    "iid": "413e09ec-930d-4976-80e0-677380577b4d",
    "int_ip": "REDACTED",
    "latency": -75,
    "moduleid": 2,
    "oid": "ae41fcf5-70a0-4e89-9a97-895d62e0415f",
    "plat": 268435456,
    "sid": "4de1e678-678b-47c6-8392-4c4396b0b9a4",
    "tags": [
      "lc:latest",
      "server",
      "terminal_server"
    ],
    "target": "fe6bbe167ffb4ced27f4398768794403",
    "this": "f9316ed7ab1392d76c1e4f2a687f9f9a"
  },
  "source": "ae41fcf5-70a0-4e89-9a97-895d62e0415f.413e09ec-930d-4976-80e0-677380577b4d.4de1e678-678b-47c6-8392-4c4396b0b9a4.10000000.2",
  "source_rule": "general.Suspicious LSASS Access",
  "ts": 1753194395000
}

system · July 29, 2025, 11:51pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Detecting Suspicious LSASS Access + Template String Example Detection & Response Rules detection , windows	1	58	July 22, 2025
Developing A Baseline For Sensitive Process Access LCQL Queries windows , lcql	0	19	February 18, 2025
Tracking Failed Windows Logons for Threat Hunting LCQL Queries lcql	0	27	February 17, 2025
Is rundll32.exe Executed Without Expected Dll Path? LCQL Queries lcql	0	10	February 17, 2025
Quickly Find Remote Desktop Logons LCQL Queries	0	24	February 17, 2025

SOURCE missing from SENSITIVE_PROCESS_ACCESS

Related topics