valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 10:13:57 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
61d31c3f3a
SigmaHQ/rules/windows/sysmon/sysmon_password_dumper_lsass.yml
Florian Roth e79e99c4aa fix: fixed missing date fields in remaining files
2020-01-30 16:07:37 +01:00

26 lines
805 B
YAML
Raw Blame History

title: Password Dumper Remote Thread in LSASS
id: f239b326-2f41-4d6b-9dfa-c846a60ef505
description: Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process
in field Process is the malicious program. A single execution can lead to hundreds of events.
references:
- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm
status: stable
author: Thomas Patzke
date: 2017/02/19
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 8
TargetImage: 'C:\Windows\System32\lsass.exe'
StartModule: null
condition: selection
tags:
- attack.credential_access
- attack.t1003
- attack.s0005
falsepositives:
- unknown
level: high
Reference in New Issue View Git Blame Copy Permalink