SigmaHQ/rules/windows/sysmon/sysmon_password_dumper_lsass.yml

title: Password Dumper Remote Thread in LSASS 
description: Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundreds of events.
references:
    - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm
status: stable
author: Thomas Patzke
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        EventID: 8
        TargetImage: 'C:\Windows\System32\lsass.exe'
        StartModule: null
    condition: selection
tags:
    - attack.credential_access
    - attack.t1003
    - attack.s0005
falsepositives:
    - unknown
level: high
LSASS Remote Thread Update 2017-02-12 15:33:09 +00:00			`title: Password Dumper Remote Thread in LSASS`
ATT&CK tagging 2018-07-17 21:58:11 +00:00			`description: Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundreds of events.`
			`references:`
			`- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm`
			`status: stable`
Added "logsource" sections and new rule 2017-02-18 23:31:59 +00:00			`author: Thomas Patzke`
			`logsource:`
Sysmon as 'service' of product 'windows' 2017-03-13 08:23:08 +00:00			`product: windows`
			`service: sysmon`
New rules and cleanup 2017-02-12 14:50:39 +00:00			`detection:`
			`selection:`
Rule review and cleanup * removed unnecessary one element lists from definitions * converted some lists of one element maps to maps because the resulting OR linkage would cause wrong result. 2017-02-15 22:53:08 +00:00			`EventID: 8`
Various rule fixes * Field name: LogonProcess -> LogonProcessName * Field name: Message -> AuditPolicyChanges * Field name: ProcessCommandLine -> CommandLine * Removed Type match in Kerberos RC4 encryption rule Problematic because text representation not unified and audit failures are possibly interesting events * Removed field 'Severity' from rules (Redundant) * Rule decomposition of win_susp_failed_logons_single_source) because of different field names * Field name: SubjectAccountName -> SubjectUserName * Field name: TargetProcess -> TargetImage * Field name: TicketEncryption -> TicketEncryptionType * Field name: TargetFileName -> TargetFilename 2018-03-26 20:53:38 +00:00			`TargetImage: 'C:\Windows\System32\lsass.exe'`
Added proper handling of null/not null values Fixes issue #25 2017-10-29 22:57:39 +00:00			`StartModule: null`
New rules and cleanup 2017-02-12 14:50:39 +00:00			`condition: selection`
ATT&CK tagging 2018-07-17 21:58:11 +00:00			`tags:`
			`- attack.credential_access`
			`- attack.t1003`
			`- attack.s0005`
New rules and cleanup 2017-02-12 14:50:39 +00:00			`falsepositives:`
			`- unknown`
Levels to low, medium, high, critical 2017-02-16 17:02:26 +00:00			`level: high`