valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 02:08:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update sysmon_lsass_memory_dump_file_creation.yml

Browse Source
This commit is contained in:
yugoslavskiy 2019-11-14 00:55:20 +03:00 committed by GitHub
parent f0cce60a2c
commit 4b8873b706
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
rules/windows/sysmon/sysmon_lsass_memory_dump_file_creation.yml
View File

@ -4,6 +4,7 @@ author: Teymur Kheirkhabarov, oscd.community
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
date: 2019/10/22
modified: 2019/11/13
tags:
- attack.credential_access
- attack.t1003
@ -13,9 +14,8 @@ logsource:
detection:
selection:
EventID: 11
TargetFilename|all:
- "*lsass*"
- "*dmp"
TargetFilename|contains: 'lsass'
TargetFilename|endswith: 'dmp'
condition: selection
falsepositives:
- Dumping lsass memory for forensic investigation purposes by legitimate incident responder or forensic invetigator