title: Generic Password Dumper Activity on LSASS id: 4a1b6da0-d94f-4fc3-98fc-2d9cb9e5ee76 description: Detects process handle on LSASS process with certain access mask status: experimental author: Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update) date: 2019/11/01 modified: 2019/11/07 references: - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment tags: - attack.credential_access - attack.t1003 - car.2019-04-004 - attack.t1003.001 logsource: product: windows service: security detection: selection_1: EventID: 4656 ObjectName|endswith: '\lsass.exe' AccessMask|contains: - '0x40' - '0x1400' - '0x1000' - '0x100000' - '0x1410' # car.2019-04-004 - '0x1010' # car.2019-04-004 - '0x1438' # car.2019-04-004 - '0x143a' # car.2019-04-004 - '0x1418' # car.2019-04-004 - '0x1f0fff' - '0x1f1fff' - '0x1f2fff' - '0x1f3fff' selection_2: EventID: 4663 ObjectName|endswith: '\lsass.exe' AccessList|contains: - '4484' - '4416' filter: ProcessName|endswith: - '\wmiprvse.exe' - '\taskmgr.exe' - '\procexp64.exe' - '\procexp.exe' - '\lsm.exe' - '\csrss.exe' - '\wininit.exe' - '\vmtoolsd.exe' condition: selection_1 or selection_2 and not filter fields: - ComputerName - SubjectDomainName - SubjectUserName - ProcessName - ProcessID falsepositives: - Legitimate software accessing LSASS process for legitimate reason; update the whitelist with it level: high