https://github.com/deepinstinct/Lsass-Shtinkering
- Sumo Logic CIP format
- Please consider experimental / test
_collector="DC-SUMOTR1" //Setting collector
| where eventid = 10 OR eventid = 4624 OR eventid = 1 //Only looking for these specific event ids
| timeslice 1m //setting a slim timeslice to weed out false positives
//renaming some fields
| %"eventdata.commandline" as command_line
| %"eventdata.ParentImage" as parent_process
| %"eventdata.targetimage" as target_image
| %"eventdata.sourceimage" as source_image
| %"eventdata.sourceuser" as target_user_4624
| %"eventdata.processname" as process_name_4624
| %"eventdata.targetusername" as src_user
// Setting qualifiers, looking for a specific werfault command line, lsass being accessed by werfault, services being spawned via 4624 and system as the username
| if(toLowerCase(command_line) matches /(werfault\.exe \-u \-p \d\d\d \-ip \d\d\d\d \-s \d\d\d)/, "sus_werfault","") as q1
| if(toLowerCase(target_image) matches /(lsass)/, "lsass_access\n","") as q2
| if(toLowerCase(source_image) matches /(werfault)/, "werfault_as_source\n","") as q3
| if(toLowerCase(src_user) matches /(nt authority\\system)/,"system_exec\n","") as q4
| if(toLowerCase(target_user_4624) matches /(system)/,"login_as_system\n","") as q5
| if(toLowerCase(process_name_4624) matches /(services\.exe)/,"service_login\n","") as q6
| concat(q1,q2,q3,q4,q5,q6) as qualifiers
| count_distinct(qualifiers) as qualifer_count,values(qualifiers) as qualifiers_values,values(command_line) as command_line,values(parent_process) as parent_process,values(target_image) as target_image by _timeslice
// only return the results if all six qualifiers are met
| where qualifer_count = 6