title: Password Dumper Activity on LSASS description: Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN status: experimental reference: https://twitter.com/jackcr/status/807385668833968128 logsource: product: windows detection: selection: EventLog: Security EventID: 4656 ProcessName: 'C:\Windows\System32\lsass.exe' AccessMask: '0x705' ObjectType: 'SAM_DOMAIN' condition: selection falsepositives: - Unkown level: high