Potential Credential Dumping Via LSASS Process Clone
Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity
Sigma rule (View on GitHub)
1title: Potential Credential Dumping Via LSASS Process Clone
2id: c8da0dfd-4ed0-4b68-962d-13c9c884384e
3status: test
4description: Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity
5references:
6 - https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/
7 - https://twitter.com/Hexacorn/status/1420053502554951689
8 - https://twitter.com/SBousseaden/status/1464566846594691073?s=20
9author: Florian Roth (Nextron Systems), Samir Bousseaden
10date: 2021-11-27
11modified: 2023-03-02
12tags:
13 - attack.credential-access
14 - attack.t1003
15 - attack.t1003.001
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection:
21 ParentImage|endswith: '\Windows\System32\lsass.exe'
22 Image|endswith: '\Windows\System32\lsass.exe'
23 condition: selection
24falsepositives:
25 - Unknown
26level: critical
References
-
Intro Recently, I became rather intrigued after reading this article from MSTIC about how Windows Defender Advanced Threat Protection (WDATP) is supposed to detect credential dumping by statistically probing the amount of data read from the LSASS process. A little background is first necessary, though: on a host guarded by WDATP, when a standard credential-dumper such as mimikatz is executed, it should trigger an alert like the following one.
Read More
Related rules
- APT31 Judgement Panda Activity
- Access To Crypto Currency Wallets By Uncommon Applications
- Capture Credentials with Rpcping.exe
- Cred Dump Tools Dropped Files
- Credential Dumping Activity By Python Based Tool