Password Dumper Remote Thread in LSASS
Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundreds of events.
Sigma rule (View on GitHub)
1title: Password Dumper Remote Thread in LSASS
2id: f239b326-2f41-4d6b-9dfa-c846a60ef505
3status: stable
4description: |
5 Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage.
6 The process in field Process is the malicious program. A single execution can lead to hundreds of events.
7references:
8 - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm
9author: Thomas Patzke
10date: 2017/02/19
11modified: 2021/06/21
12tags:
13 - attack.credential_access
14 - attack.s0005
15 - attack.t1003.001
16logsource:
17 product: windows
18 category: create_remote_thread
19detection:
20 selection:
21 TargetImage|endswith: '\lsass.exe'
22 StartModule: ''
23 condition: selection
24falsepositives:
25 - Antivirus products
26level: high
References
Related rules
- HackTool - Windows Credential Editor (WCE) Execution
- Credential Dumping Tools Service Execution - System
- Credential Dumping Tools Service Execution - Security
- Windows Credential Editor Registry
- HackTool - CrackMapExec Process Patterns