Detectioncriticaltest

Potential Credential Dumping Via LSASS SilentProcessExit Technique

Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Florian Roth (Nextron Systems)Created Fri Feb 26Updated Mon Dec 1955e29995-75e7-451a-bef0-6225e2f13597windows

Log Source

WindowsRegistry Event

ProductWindows← raw: windows

CategoryRegistry Event← raw: registry_event

Events for Windows Registry modifications including key creation, modification, and deletion.

Detection Logic

detection:
    selection:
        TargetObject|contains: 'Microsoft\Windows NT\CurrentVersion\SilentProcessExit\lsass.exe'
    condition: selection

False Positives

Unlikely

False positives are unlikely for most environments. High confidence detection.

References

MITRE ATT&CK

Tactics

TA0006 · Credential Access

Sub-techniques

T1003.001 · LSASS Memory

Related Rules

SimilarDetectionhigh

Potential Persistence Via GlobalFlags

Detects registry persistence technique using the GlobalFlags and SilentProcessExit keys

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

55e29995-75e7-451a-bef0-6225e2f13597

Status

test

Level

critical

Type

Detection

Created

Fri Feb 26

Modified

Mon Dec 19

Author

Florian Roth (Nextron Systems)

Path

rules/windows/registry/registry_event/registry_event_silentprocessexit_lsass.yml

Raw Tags

attack.credential-accessattack.t1003.001

View on GitHub