SigmaHQ/rules/windows/sysmon/sysmon_password_dumper_lsass.yml
2020-06-16 14:46:08 -06:00

26 lines
819 B
YAML

title: Password Dumper Remote Thread in LSASS
id: f239b326-2f41-4d6b-9dfa-c846a60ef505
description: Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundreds of events.
references:
- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm
status: stable
author: Thomas Patzke
date: 2017/02/19
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 8
TargetImage: 'C:\Windows\System32\lsass.exe'
StartModule:
condition: selection
tags:
- attack.credential_access
- attack.t1003
- attack.s0005
- attack.t1003.001
falsepositives:
- unknown
level: high