Password Dumper Activity on LSASS

Aug 12, 2024 · attack.credential-access attack.t1003.001 ·

Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN

Sigma rule (View on GitHub)

 1title: Password Dumper Activity on LSASS
 2id: aa1697b7-d611-4f9a-9cb2-5125b4ccfd5c
 3status: test
 4description: Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN
 5references:
 6    - https://twitter.com/jackcr/status/807385668833968128
 7author: sigma
 8date: 2017-02-12
 9modified: 2022-10-09
10tags:
11    - attack.credential-access
12    - attack.t1003.001
13logsource:
14    product: windows
15    service: security
16detection:
17    selection:
18        EventID: 4656
19        ProcessName|endswith: '\lsass.exe'
20        AccessMask: '0x705'
21        ObjectType: 'SAM_DOMAIN'
22    condition: selection
23falsepositives:
24    - Unknown
25level: high

References

x.com

Read More

Related rules

APT31 Judgement Panda Activity
Cred Dump Tools Dropped Files
Credential Dumping Activity By Python Based Tool
Credential Dumping Attempt Via WerFault
Credential Dumping Tools Service Execution - Security

Password Dumper Activity on LSASS

Sigma rule (View on GitHub)

References

x.com

Related rules