Credential Dumping Activity By Python Based Tool
Detects LSASS process access for potential credential dumping by a Python-like tool such as LaZagne or Pypykatz.
Sigma rule (View on GitHub)
1title: Credential Dumping Activity By Python Based Tool
2id: f8be3e82-46a3-4e4e-ada5-8e538ae8b9c9
3related:
4 - id: 4b9a8556-99c4-470b-a40c-9c8d02c77ed0
5 type: obsoletes
6 - id: 7186e989-4ed7-4f4e-a656-4674b9e3e48b
7 type: obsoletes
8status: stable
9description: Detects LSASS process access for potential credential dumping by a Python-like tool such as LaZagne or Pypykatz.
10references:
11 - https://twitter.com/bh4b3sh/status/1303674603819081728
12 - https://github.com/skelsec/pypykatz
13author: Bhabesh Raj, Jonhnathan Ribeiro
14date: 2023/11/27
15modified: 2023/11/29
16tags:
17 - attack.credential_access
18 - attack.t1003.001
19 - attack.s0349
20logsource:
21 category: process_access
22 product: windows
23detection:
24 selection:
25 TargetImage|endswith: '\lsass.exe'
26 CallTrace|contains|all:
27 - '_ctypes.pyd+'
28 - ':\Windows\System32\KERNELBASE.dll+'
29 - ':\Windows\SYSTEM32\ntdll.dll+'
30 CallTrace|contains:
31 - 'python27.dll+'
32 - 'python3*.dll+'
33 GrantedAccess: '0x1FFFFF'
34 condition: selection
35falsepositives:
36 - Unknown
37level: high
References
Related rules
- Credential Dumping Attempt Via WerFault
- HackTool - Generic Process Access
- LSASS Access From Potentially White-Listed Processes
- LSASS Memory Access by Tool With Dump Keyword In Name
- Lsass Memory Dump via Comsvcs DLL