2019-11-12 22:12:27 +00:00
title : Password Dumper Remote Thread in LSASS
id : f239b326-2f41-4d6b-9dfa-c846a60ef505
2020-06-16 20:46:08 +00:00
description : Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundreds of events.
2018-07-17 21:58:11 +00:00
references :
- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm
status : stable
2017-02-18 23:31:59 +00:00
author : Thomas Patzke
2020-01-30 15:07:37 +00:00
date : 2017 /02/19
2017-02-18 23:31:59 +00:00
logsource :
2017-03-13 08:23:08 +00:00
product : windows
service : sysmon
2017-02-12 14:50:39 +00:00
detection :
selection :
2017-02-15 22:53:08 +00:00
EventID : 8
2018-03-26 20:53:38 +00:00
TargetImage : 'C:\Windows\System32\lsass.exe'
2020-07-23 12:31:21 +00:00
StartModule : ''
2017-02-12 14:50:39 +00:00
condition : selection
2018-07-17 21:58:11 +00:00
tags :
- attack.credential_access
2020-08-29 00:03:28 +00:00
- attack.t1003 # an old one
2018-07-17 21:58:11 +00:00
- attack.s0005
2020-06-16 20:46:08 +00:00
- attack.t1003.001
2017-02-12 14:50:39 +00:00
falsepositives :
- unknown
2017-02-16 17:02:26 +00:00
level : high