valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 02:08:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update sysmon_lsass_memdump.yml

Browse Source
This commit is contained in:
sbousseaden 2019-04-03 14:06:49 +02:00 committed by GitHub
parent a85c668f6f
commit 016261cacf
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 4 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
rules/windows/sysmon/sysmon_lsass_memdump.yml
View File

@ -1,6 +1,6 @@
title: LSASS Memory Dump
status: experimental
description: Detects process LSASS memory dump using procdump or taskmgr based on the CallTrace pointing to dbghelp.dll
description: Detects process LSASS memory dump using procdump or taskmgr based on the CallTrace pointing to dbghelp.dll or dbgcore.dll for win10
author: Samir Bousseaden
references:
- https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html
@ -16,7 +16,9 @@ detection:
EventID: 10
TargetImage: 'C:\windows\system32\lsass.exe'
GrantedAccess: '0x1fffff'
CallTrace: '*dbghelp.dll*'
CallTrace:
- '*dbghelp.dll*'
- '*dbgcore.dll*'
condition: selection
falsepositives:
- unknown