Changed LSASS technique score from 5 to 4

center-for-threat-informed-defense · Aug 21, 2023 · 9f04758 · 9f04758
1 parent 1104146
commit 9f04758
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 8 deletions.
diff --git a/docs/levels/implementations.rst b/docs/levels/implementations.rst
@@ -28,7 +28,14 @@ Observables
 |                               |                                                   | event is indicative of this        |
 |                               |                                                   | technique.                         |
 +-------------------------------+---------------------------------------------------+------------------------------------+
+|  OS Credential Dumping:       |  TargetImage = lsass.exe                          | There are multiple access masks    |
+|  LSASS Memory (T1003.001)     |  GrantedAccess: 0x1010 OR 0x1410                  | which can be used. This analytic   | 
+|                               |                                                   | covers two of those access masks.  |
+|                               |                                                   | Anything that has the right bits   |
+|                               |                                                   | are wildcards essentially [#f2]_   |
++-------------------------------+---------------------------------------------------+------------------------------------+
 
 .. rubric:: References:
 
-.. [#f1] https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/
+.. [#f1] https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/
+.. [#f2] https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html
diff --git a/docs/levels/technique.rst b/docs/levels/technique.rst
@@ -20,14 +20,8 @@ Observables
 |                           |  SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\       |  regardless of implementation [#f1]_ |
 |                           |  Schedule\\TaskCache"                                    |                                      |
 +---------------------------+----------------------------------------------------------+--------------------------------------+
-|  OS Credential Dumping:   |  TargetImage = lsass.exe                                 | The Splunk team outlines their       |
-|  LSASS Memory (T1003.001) |  GrantedAccess: 0x1010 OR 0x1410                         | research for LSASS Dumping covers    | 
-|                           |                                                          | multiple implementations of the      |
-|                           |                                                          | technique [#f2]_                     |
-+---------------------------+----------------------------------------------------------+--------------------------------------+
 
 
 .. rubric:: References
 
-.. [#f1] https://posts.specterops.io/abstracting-scheduled-tasks-3b6451f6a1c5
-.. [#f2] https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html
+.. [#f1] https://posts.specterops.io/abstracting-scheduled-tasks-3b6451f6a1c5