Password Dumper Remote Thread in LSASS
Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundreds of events.
Sigma rule (View on GitHub)
1title: Password Dumper Remote Thread in LSASS
2id: f239b326-2f41-4d6b-9dfa-c846a60ef505
3status: stable
4description: |
5 Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage.
6 The process in field Process is the malicious program. A single execution can lead to hundreds of events.
7references:
8 - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm
9author: Thomas Patzke
10date: 2017-02-19
11modified: 2021-06-21
12tags:
13 - attack.credential-access
14 - attack.s0005
15 - attack.t1003.001
16logsource:
17 product: windows
18 category: create_remote_thread
19detection:
20 selection:
21 TargetImage|endswith: '\lsass.exe'
22 StartModule: ''
23 condition: selection
24falsepositives:
25 - Antivirus products
26level: high
References
Related rules
- Credential Dumping Tools Service Execution - Security
- Credential Dumping Tools Service Execution - System
- HackTool - Windows Credential Editor (WCE) Execution
- Windows Credential Editor Registry
- APT31 Judgement Panda Activity