feat(rules): LSASS handle leak via Seclogon

Identifies suspicious access to LSASS process from a callstack pointing to seclogon.dll that may indicate an attempt to leak an LSASS handle via abusing the Secondary Logon service in  preparation for credential access.

Author: rabbitstack

rules/credential_access_lsass_handle_leak_via_seclogon.yml

@@ -0,0 +1,28 @@
+name: LSASS handle leak via Seclogon
+id: 5d55c938-875e-49e1-ae53-fa196d4445eb
+version: 1.0.0
+description: |
+  Identifies suspicious access to LSASS process from a callstack pointing to seclogon.dll that
+  may indicate an attempt to leak an LSASS handle via abusing the Secondary Logon service in 
+  preparation for credential access.
+labels:
+  tactic.id: TA0006
+  tactic.name: Credential Access
+  tactic.ref: https://attack.mitre.org/tactics/TA0006/
+  technique.name: OS Credential Dumping
+  technique.ref: https://attack.mitre.org/techniques/T1003/
+  subtechnique.id: T1003.001
+  subtechnique.name: LSASS Memory
+  subtechnique.ref: https://attack.mitre.org/techniques/T1003/001/
+references:
+  - https://github.com/antonioCoco/MalSeclogon
+  - https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html
+
+condition: >
+  open_process and kevt.arg[exe] imatches '?:\\Windows\\System32\\lsass.exe' and ps.name ~= 'svchost.exe'
+    and
+  ps.access.mask.names in ('CREATE_PROCESS', 'DUP_HANDLE') and thread.callstack.modules imatches ('*seclogon.dll')
+
+severity: high
+
+min-engine-version: 2.4.0