Potential Credential Dumping Via LSASS SilentProcessExit Technique
Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process
Sigma rule (View on GitHub)
1title: Potential Credential Dumping Via LSASS SilentProcessExit Technique
2id: 55e29995-75e7-451a-bef0-6225e2f13597
3related:
4 - id: 36803969-5421-41ec-b92f-8500f79c23b0
5 type: similar
6status: test
7description: Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process
8references:
9 - https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/
10 - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/
11author: Florian Roth (Nextron Systems)
12date: 2021-02-26
13modified: 2022-12-19
14tags:
15 - attack.credential-access
16 - attack.t1003.001
17logsource:
18 category: registry_event
19 product: windows
20detection:
21 selection:
22 TargetObject|contains: 'Microsoft\Windows NT\CurrentVersion\SilentProcessExit\lsass.exe'
23 condition: selection
24falsepositives:
25 - Unlikely
26level: critical
References
-
In this article, we show a new way to dump LSASS memory without dropping any new tool on the endpoint that is highly evasive.
Read More -
TL;DR – Found a technique to execute any binary file after another application is closed without being detected by Autoruns.exe. – Requires administrator rights and does not belong in userland. – C…
Read More
Related rules
- APT31 Judgement Panda Activity
- Cred Dump Tools Dropped Files
- Credential Dumping Activity By Python Based Tool
- Credential Dumping Attempt Via WerFault
- Credential Dumping Tools Service Execution - Security