SigmaHQ/rules/windows/sysmon/sysmon_password_dumper_lsass.yml

title: Password Dumper Remote Thread in LSASS
id: f239b326-2f41-4d6b-9dfa-c846a60ef505
description: Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundreds of events.
references:
    - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm
status: stable
author: Thomas Patzke
date: 2017/02/19
modified: 2021/04/01
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        EventID: 8
        TargetImage: 'C:\Windows\System32\lsass.exe'
        StartModule: ''
    condition: selection
tags:
    - attack.credential_access
    - attack.t1003          # an old one
    - attack.s0005
    - attack.t1003.001
falsepositives:
    - Antivirus products
level: high
Added UUIDs to rules 2019-11-12 22:12:27 +00:00			`title: Password Dumper Remote Thread in LSASS`
			`id: f239b326-2f41-4d6b-9dfa-c846a60ef505`
Initial round of subtechnique updates 2020-06-16 20:46:08 +00:00			`description: Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundreds of events.`
ATT&CK tagging 2018-07-17 21:58:11 +00:00			`references:`
			`- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm`
			`status: stable`
Added "logsource" sections and new rule 2017-02-18 23:31:59 +00:00			`author: Thomas Patzke`
fix: fixed missing date fields in remaining files 2020-01-30 15:07:37 +00:00			`date: 2017/02/19`
fix: adding only as a known false positive as it cannot be filtered out in a generic and public way 2021-04-01 09:13:59 +00:00			`modified: 2021/04/01`
Added "logsource" sections and new rule 2017-02-18 23:31:59 +00:00			`logsource:`
Sysmon as 'service' of product 'windows' 2017-03-13 08:23:08 +00:00			`product: windows`
			`service: sysmon`
New rules and cleanup 2017-02-12 14:50:39 +00:00			`detection:`
			`selection:`
Rule review and cleanup * removed unnecessary one element lists from definitions * converted some lists of one element maps to maps because the resulting OR linkage would cause wrong result. 2017-02-15 22:53:08 +00:00			`EventID: 8`
Various rule fixes * Field name: LogonProcess -> LogonProcessName * Field name: Message -> AuditPolicyChanges * Field name: ProcessCommandLine -> CommandLine * Removed Type match in Kerberos RC4 encryption rule Problematic because text representation not unified and audit failures are possibly interesting events * Removed field 'Severity' from rules (Redundant) * Rule decomposition of win_susp_failed_logons_single_source) because of different field names * Field name: SubjectAccountName -> SubjectUserName * Field name: TargetProcess -> TargetImage * Field name: TicketEncryption -> TicketEncryptionType * Field name: TargetFileName -> TargetFilename 2018-03-26 20:53:38 +00:00			`TargetImage: 'C:\Windows\System32\lsass.exe'`
Update sysmon_password_dumper_lsass.yml 2020-07-23 12:31:21 +00:00			`StartModule: ''`
New rules and cleanup 2017-02-12 14:50:39 +00:00			`condition: selection`
ATT&CK tagging 2018-07-17 21:58:11 +00:00			`tags:`
			`- attack.credential_access`
review windows/sysmon 2020-08-29 00:03:28 +00:00			`- attack.t1003 # an old one`
ATT&CK tagging 2018-07-17 21:58:11 +00:00			`- attack.s0005`
Initial round of subtechnique updates 2020-06-16 20:46:08 +00:00			`- attack.t1003.001`
New rules and cleanup 2017-02-12 14:50:39 +00:00			`falsepositives:`
fix: adding only as a known false positive as it cannot be filtered out in a generic and public way 2021-04-01 09:13:59 +00:00			`- Antivirus products`
Levels to low, medium, high, critical 2017-02-16 17:02:26 +00:00			`level: high`