Credential Dumping Activity By Python Based Tool
Detects LSASS process access for potential credential dumping by a Python-like tool such as LaZagne or Pypykatz.
Sigma rule (View on GitHub)
1title: Credential Dumping Activity By Python Based Tool
2id: f8be3e82-46a3-4e4e-ada5-8e538ae8b9c9
3related:
4 - id: 4b9a8556-99c4-470b-a40c-9c8d02c77ed0
5 type: obsolete
6 - id: 7186e989-4ed7-4f4e-a656-4674b9e3e48b
7 type: obsolete
8status: stable
9description: Detects LSASS process access for potential credential dumping by a Python-like tool such as LaZagne or Pypykatz.
10references:
11 - https://twitter.com/bh4b3sh/status/1303674603819081728
12 - https://github.com/skelsec/pypykatz
13author: Bhabesh Raj, Jonhnathan Ribeiro
14date: 2023-11-27
15modified: 2023-11-29
16tags:
17 - attack.credential-access
18 - attack.t1003.001
19 - attack.s0349
20logsource:
21 category: process_access
22 product: windows
23detection:
24 selection:
25 TargetImage|endswith: '\lsass.exe'
26 CallTrace|contains|all:
27 - '_ctypes.pyd+'
28 - ':\Windows\System32\KERNELBASE.dll+'
29 - ':\Windows\SYSTEM32\ntdll.dll+'
30 CallTrace|contains:
31 - 'python27.dll+'
32 - 'python3*.dll+'
33 GrantedAccess: '0x1FFFFF'
34 condition: selection
35falsepositives:
36 - Unknown
37level: high
References
Related rules
- APT31 Judgement Panda Activity
- Antivirus Password Dumper Detection
- Cred Dump Tools Dropped Files
- Credential Dumping Attempt Via WerFault
- Credential Dumping Tools Service Execution - Security