Home / Hunts / Detecting Lateral Movement via Abnormal Process Ancestry
๐Ÿงช Lab Simulation high Lateral Movement T1003.001 โ€” LSASS Memory windowslsasscredential-dumpingsigmasplunk

Detecting Lateral Movement via Abnormal Process Ancestry

A targeted hunt for lateral movement indicators โ€” specifically credential dumping artifacts and anomalous child process relationships involving lsass.exe across endpoint telemetry.

Data Sources
Sysmon (Event ID 1, 10)Windows Security Event LogsEDR Process Tree
Tools
SplunkSigmaSysmon
Output Sigma Rule + SPL Detection Query

Hypothesis

Adversaries staging lateral movement in an Active Directory environment will attempt to access LSASS process memory to extract credential material. This manifests as abnormal process relationships โ€” specifically lsass.exe spawning child processes, or non-standard processes accessing LSASS via OpenProcess with elevated rights.

Hypothesis: If an adversary has compromised an endpoint and is staging for lateral movement, we will observe anomalous child processes of lsass.exe or memory-access patterns targeting lsass.exe from processes outside the expected baseline.

Scope & Data Sources

Data SourceCoverage
Windows Event LogsSecurity 4688, Sysmon 1 (Process Create)
SysmonEvent ID 10 (ProcessAccess to lsass.exe)
EDR TelemetryProcess ancestry, memory access events
SIEMSplunk (SPL), Microsoft Sentinel (KQL)

Timeframe: Last 30 days
Scope: All Windows endpoints in scope for EDR coverage
Excluded: Known legitimate processes (LSASS access from antivirus engines, whitelisted tools)

Query Logic

Splunk (SPL) โ€” Abnormal LSASS Child Process

index=windows_events EventCode=4688
| where ParentProcessName LIKE "%lsass.exe%"
| where NOT (NewProcessName IN ("C:\\Windows\\System32\\wininit.exe"))
| stats count by NewProcessName, ParentProcessName, ComputerName, _time
| where count < 3
| sort -_time

Sigma Rule โ€” LSASS Memory Access

title: Suspicious LSASS Memory Access
id: 8e4b9d1a-f263-4e2b-8c1f-7a9b2c3d4e5f
status: experimental
description: Detects non-standard processes accessing lsass.exe memory โ€” potential credential dumping
author: ReconHygiene
date: 2025/01/15
logsource:
  category: process_access
  product: windows
detection:
  selection:
    TargetImage|endswith: '\lsass.exe'
    GrantedAccess|contains:
      - '0x1010'
      - '0x1438'
      - '0x143a'
      - '0x1418'
  filter_legit:
    SourceImage|startswith:
      - 'C:\Windows\System32\svchost.exe'
      - 'C:\Program Files\Windows Defender\'
  condition: selection and not filter_legit
falsepositives:
  - Antivirus solutions
  - System management tools
level: high
tags:
  - attack.credential_access
  - attack.t1003.001

Findings

HostSource ProcessAccess TypeTimestamp
WS-CORP-042cmd.exe (PID 8812)0x143a โ€” Read+Write to LSASS2025-01-12 14:33 UTC
WS-CORP-017rundll32.exe โ†’ lsass.exeSuspicious ancestry2025-01-11 09:21 UTC

Verdict: True positive on WS-CORP-042. cmd.exe spawned as a child of lsass.exe โ€” inconsistent with any known legitimate process. Escalated to incident response.

WS-CORP-017 was a false positive โ€” rundll32.exe call originating from a licensed endpoint protection agent.

Detection Output

The Sigma rule above has been tuned and promoted to the SIEM detection library with the following thresholds:

  • Alert priority: High
  • MITRE ATT&CK tag: T1003.001
  • Response playbook: Credential Compromise IR-004

Recommendations

  1. Enable Sysmon Event ID 10 (ProcessAccess) across all Windows endpoints if not already deployed
  2. Baseline and alert on any non-standard process accessing lsass.exe with write permissions
  3. Restrict LSASS access via RunAsPPL (Protected Process Light) on Windows Server 2012+
  4. Deploy Windows Credential Guard where applicable to prevent memory-based credential extraction