SigmaHQ/rules/windows/sysmon/sysmon_password_dumper_lsass.yml

26 lines
822 B
YAML
Raw Normal View History

2019-11-12 22:12:27 +00:00
title: Password Dumper Remote Thread in LSASS
id: f239b326-2f41-4d6b-9dfa-c846a60ef505
2020-06-16 20:46:08 +00:00
description: Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundreds of events.
2018-07-17 21:58:11 +00:00
references:
- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm
status: stable
author: Thomas Patzke
date: 2017/02/19
logsource:
product: windows
service: sysmon
2017-02-12 14:50:39 +00:00
detection:
selection:
EventID: 8
TargetImage: 'C:\Windows\System32\lsass.exe'
StartModule: ''
2017-02-12 14:50:39 +00:00
condition: selection
2018-07-17 21:58:11 +00:00
tags:
- attack.credential_access
- attack.t1003
- attack.s0005
2020-06-16 20:46:08 +00:00
- attack.t1003.001
2017-02-12 14:50:39 +00:00
falsepositives:
- unknown
2017-02-16 17:02:26 +00:00
level: high