Detects potential calls to NtOpenProcess directly from NTDLL.

Read More

Detects process access requests from hacktool processes based on their default image name

Read More

Detects process access requests to LSASS process with potentially suspicious access flags

Read More

Detects various indicators of Microsoft Connection Manager Profile Installer execution

Read More

Detects LSASS process access for potential credential dumping by a Python-like tool such as LaZagne or Pypykatz.

Read More

Detects when a process tries to access the memory of svchost to potentially dump credentials.

Read More

Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.

Read More

Detects function calls from the EditionUpgradeManager COM interface. Which is an interface that is not used by standard executables.

Read More

Detects a typical pattern of a CobaltStrike BOF which inject into other processes

Read More

Detects HandleKatz opening LSASS to duplicate its handle to later dump the memory without opening any new handles

Read More

Detects the process injection of a LittleCorporal generated Maldoc.

Read More

Detects the use of SysmonEnte, a tool to attack the integrity of Sysmon

Read More

Detects a possible process memory dump that uses a white-listed filename like TrolleyExpress.exe as a way to dump the LSASS process memory without Microsoft Defender interference

Read More

Detects LSASS process access requests from a source process with the "dump" keyword in its image name.

Read More

Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass.

Read More

Detects process access requests to the LSASS process with specific call trace calls and access masks. This behaviour is expressed by many credential dumping tools such as Mimikatz, NanoDump, Invoke-Mimikatz, Procdump and even the Taskmgr dumping feature.

Read More

Detects remote access to the LSASS process via WinRM. This could be a sign of credential dumping from tools like mimikatz.

Read More

Detects suspicious access to LSASS handle via a call trace to "seclogon.dll" with a suspicious access right.

Read More

Detects suspicious access to the "svchost" process such as that used by Invoke-Phantom to kill the thread of the Windows event logging service.

Read More

Detects the pattern of UAC Bypass using a WoW64 logger DLL hijack (UACMe 30)

Read More

Detects process access request to uncommon target images with a "PROCESS_ALL_ACCESS" access mask.

Read More