SigmaHQ/rules/windows/builtin/win_susp_lsass_dump.yml

title: Password Dumper Activity on LSASS
id: aa1697b7-d611-4f9a-9cb2-5125b4ccfd5c
description: Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN
status: experimental
date: 2017/02/12
references:
    - https://twitter.com/jackcr/status/807385668833968128
tags:
    - attack.credential_access
    - attack.t1003           # an old one
    - attack.t1003.001
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4656
        ProcessName: 'C:\Windows\System32\lsass.exe'
        AccessMask: '0x705'
        ObjectType: 'SAM_DOMAIN'
    condition: selection
falsepositives:
    - Unknown
level: high
New rules and cleanup 2017-02-12 14:50:39 +00:00			`title: Password Dumper Activity on LSASS`
Added UUIDs to rules 2019-11-12 22:12:27 +00:00			`id: aa1697b7-d611-4f9a-9cb2-5125b4ccfd5c`
windows builtin mitre attack tags 2018-07-24 04:34:20 +00:00			`description: Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN`
New rules and cleanup 2017-02-12 14:50:39 +00:00			`status: experimental`
fix: fixed missing date fields in remaining files 2020-01-30 15:07:37 +00:00			`date: 2017/02/12`
Change All "str" references to be "list"to mach schema update 2018-01-27 23:24:16 +00:00			`references:`
			`- https://twitter.com/jackcr/status/807385668833968128`
windows builtin mitre attack tags 2018-07-24 04:34:20 +00:00			`tags:`
			`- attack.credential_access`
att&ck tags review: windows/builtin, windows/driver_load, windows/file_event, windows/image_load, windows/other 2020-08-24 23:09:17 +00:00			`- attack.t1003 # an old one`
Initial round of subtechnique updates 2020-06-16 20:46:08 +00:00			`- attack.t1003.001`
Added "logsource" sections and new rule 2017-02-18 23:31:59 +00:00			`logsource:`
Removed lists from log source section 2017-02-19 10:08:23 +00:00			`product: windows`
Windows Built-In rules > LogSource definition 2017-03-05 22:55:52 +00:00			`service: security`
Renamed rule files, new rules 2017-02-10 18:17:02 +00:00			`detection:`
			`selection:`
Rule review and cleanup * removed unnecessary one element lists from definitions * converted some lists of one element maps to maps because the resulting OR linkage would cause wrong result. 2017-02-15 22:53:08 +00:00			`EventID: 4656`
			`ProcessName: 'C:\Windows\System32\lsass.exe'`
			`AccessMask: '0x705'`
			`ObjectType: 'SAM_DOMAIN'`
Renamed rule files, new rules 2017-02-10 18:17:02 +00:00			`condition: selection`
			`falsepositives:`
fixed various spelling errors all over rules and source code 2021-02-24 14:43:13 +00:00			`- Unknown`
Levels to low, medium, high, critical 2017-02-16 17:02:26 +00:00			`level: high`