attack.s0002

Potential Credential Dumping Activity Via LSASS

Jan 6, 2025 · attack.credential-access attack.t1003.001 attack.s0002 ·

Detects process access requests to the LSASS process with specific call trace calls and access masks. This behaviour is expressed by many credential dumping tools such as Mimikatz, NanoDump, Invoke-Mimikatz, Procdump and even the Taskmgr dumping feature.

HackTool - Generic Process Access

Oct 1, 2024 · attack.credential-access attack.t1003.001 attack.s0002 ·

Share on:

Detects process access requests from hacktool processes based on their default image name

Potentially Suspicious GrantedAccess Flags On LSASS

Oct 1, 2024 · attack.credential-access attack.t1003.001 attack.s0002 ·

Share on:

Detects process access requests to LSASS process with potentially suspicious access flags

Credential Dumping Attempt Via WerFault

Aug 12, 2024 · attack.credential-access attack.t1003.001 attack.s0002 ·

Share on:

Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.

LSASS Access From Potentially White-Listed Processes

Aug 12, 2024 · attack.credential-access attack.t1003.001 attack.s0002 ·

Share on:

Detects a possible process memory dump that uses a white-listed filename like TrolleyExpress.exe as a way to dump the LSASS process memory without Microsoft Defender interference

LSASS Memory Access by Tool With Dump Keyword In Name

Aug 12, 2024 · attack.credential-access attack.t1003.001 attack.s0002 ·

Share on:

Detects LSASS process access requests from a source process with the "dump" keyword in its image name.

Mimikatz DC Sync

Aug 12, 2024 · attack.credential-access attack.s0002 attack.t1003.006 ·

Share on:

Detects Mimikatz DC sync security events

Mimikatz Use

Aug 12, 2024 · attack.s0002 attack.lateral-movement attack.credential-access car.2013-07-001 car.2019-04-004 attack.t1003.002 attack.t1003.004 attack.t1003.001 attack.t1003.006 ·

Share on:

This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)

Remote LSASS Process Access Through Windows Remote Management

Aug 12, 2024 · attack.credential-access attack.execution attack.t1003.001 attack.t1059.001 attack.lateral-movement attack.t1021.006 attack.s0002 ·

Share on:

Detects remote access to the LSASS process via WinRM. This could be a sign of credential dumping from tools like mimikatz.

Successful Overpass the Hash Attempt

Aug 12, 2024 · attack.lateral-movement attack.s0002 attack.t1550.002 ·

Share on:

Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.

Kerberos .kirbi Ticket Files

Mar 26, 2024 · attack.s0002 attack.credential_access attack.t1558 attack.t1558.003 ·

Share on:

Kerberos ticket files (.kirbi) are of interest to adversaries as they can contain sensitive data such as NTLM hashes that can be cracked offline. To perform these attacks, a unique file extension variable is defined within Mimikatz that designates the default extension as .kirbi. Part of the RedCanary 2024 Threat Detection Report.

Mimikatz Module Names

Mar 26, 2024 · attack.credential_access attack.t1003 attack.s0002 ·

Share on:

Identifies processes in which Mimikatz module names are observed as command-line parameters. Part of the RedCanary 2024 Threat Detection Report.

Mimikatz .kirbi File Creation (RedCanary Threat Detection Report)

May 10, 2023 · attack.s0002 ·

Share on:

Detects .kirbi files created, commonly associated with Mimikatz. Part of the RedCanary 2023 Threat Detection Report.

Mimikatz Module Names in Command Line (RedCanary Threat Detection Report)

May 10, 2023 · attack.s0002 ·

Share on:

Detects presence of common Mimikatz module names in command line strings. Part of the RedCanary 2023 Threat Detection Report.