feat(rules): New Potential LSA secrets registry dumping rule

rules/credential_access_potential_lsa_secrets_registry_dumping.yml

@@ -0,0 +1,54 @@
+name: Potential LSA secrets registry dumping
+id: e5e95cbe-c8ab-418c-abe3-539d70a0b0af
+version: 1.0.0
+description: |
+  Identifies potential dumping of LSA secrets by suspicious processes that access
+  sensitive SECURITY registry hives associated with cached credentials and LSA secret
+  storage.
+  This behavior is commonly observed in credential dumping utilities attempting to
+  extract plaintext secrets, service credentials, or cached domain credentials from
+  the Local Security Authority.
+labels:
+  tactic.id: TA0006
+  tactic.name: Credential Access
+  tactic.ref: https://attack.mitre.org/tactics/TA0006/
+  technique.id: T1003
+  technique.name: OS Credential Dumping
+  technique.ref: https://attack.mitre.org/techniques/T1003/
+  subtechnique.id: T1003.004
+  subtechnique.name: LSA secrets
+  subtechnique.ref: https://attack.mitre.org/techniques/T1003/004/
+references:
+  - https://github.com/almounah/silp
+
+condition: >
+  sequence
+  maxspan 10m
+  by ps.uuid
+    |spawn_process and
+     ps.token.integrity_level not in ('LOW', 'MEDIUM') and
+     ps.exe not imatches
+                (
+                  '?:\\Windows\\regedit.exe',
+                  '?:\\Program Files\\*',
+                  '?:\\Program Files (x86)\\*',
+                  '?:\\Windows\\System32\\lsass.exe'
+                )
+    |
+    |open_registry and
+     registry.path imatches
+                (
+                  'HKEY_LOCAL_MACHINE\\SECURITY\\CACHE\\*',
+                  'HKEY_LOCAL_MACHINE\\SECURITY\\Policy\\Secrets\\*'
+                ) and
+      registry.path not imatches
+                (
+                  'HKEY_LOCAL_MACHINE\\SECURITY\\Policy\\Secrets\\$MACHINE.ACC\\CupdTime\\*'
+                )
+    |
+action:
+  - name: kill
+
+severity: critical
+
+min-engine-version: 3.0.0