SigmaHQ/rules/windows/registry_event/sysmon_reg_silentprocessexit_lsass.yml

title: SilentProcessExit Monitor Registrytion for LSASS
id: 55e29995-75e7-451a-bef0-6225e2f13597
description: Detects changes to the Registry in which a monitor program gets registered to dump process memory of the lsass.exe process memory
author: Florian Roth
references:
    - https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/
    - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/
date: 2021/02/26
tags:
    - attack.credential_access
    - attack.t1003.007
logsource:
    category: registry_event
    product: windows
detection:
    selection:       
        TargetObject|contains: 'Microsoft\Windows NT\CurrentVersion\SilentProcessExit\lsass.exe'
    condition: selection
falsepositives:
    - Unknown
level: critical
rule: SilentProcessExit monitors 2021-02-26 16:35:42 +00:00			`title: SilentProcessExit Monitor Registrytion for LSASS`
			`id: 55e29995-75e7-451a-bef0-6225e2f13597`
			`description: Detects changes to the Registry in which a monitor program gets registered to dump process memory of the lsass.exe process memory`
			`author: Florian Roth`
			`references:`
			`- https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/`
			`- https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/`
			`date: 2021/02/26`
			`tags:`
			`- attack.credential_access`
			`- attack.t1003.007`
			`logsource:`
			`category: registry_event`
			`product: windows`
			`detection:`
			`selection:`
			`TargetObject\|contains: 'Microsoft\Windows NT\CurrentVersion\SilentProcessExit\lsass.exe'`
			`condition: selection`
			`falsepositives:`
			`- Unknown`
			`level: critical`