SigmaHQ/rules/windows/registry_event/sysmon_reg_silentprocessexit_lsass.yml

21 lines
840 B
YAML

title: SilentProcessExit Monitor Registrytion for LSASS
id: 55e29995-75e7-451a-bef0-6225e2f13597
description: Detects changes to the Registry in which a monitor program gets registered to dump process memory of the lsass.exe process memory
author: Florian Roth
references:
- https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/
- https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/
date: 2021/02/26
tags:
- attack.credential_access
- attack.t1003.007
logsource:
category: registry_event
product: windows
detection:
selection:
TargetObject|contains: 'Microsoft\Windows NT\CurrentVersion\SilentProcessExit\lsass.exe'
condition: selection
falsepositives:
- Unknown
level: critical