Detectionmediumtest

Potential Credential Dumping Activity Via LSASS

Detects process access requests to the LSASS process with specific call trace calls and access masks. This behaviour is expressed by many credential dumping tools such as Mimikatz, NanoDump, Invoke-Mimikatz, Procdump and even the Taskmgr dumping feature.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Samir Bousseaden, Michael HaagCreated Wed Apr 03Updated Sat Mar 025ef9853e-4d0e-4a70-846f-a9ca37d876dawindows

Log Source

WindowsProcess Access

ProductWindows← raw: windows

CategoryProcess Access← raw: process_access

Events when a process opens a handle to another process, commonly used for credential dumping via LSASS.

Detection Logic

detection:
    selection:
        TargetImage|endswith: '\lsass.exe'
        GrantedAccess|contains:
            - '0x1038'
            - '0x1438'
            - '0x143a'
            - '0x1fffff' # Too many false positives
            # - '0x01000'  # Too many false positives
            # - '0x1010'   # Too many false positives
            # - '0x1400'  # Too many false positives
            # - '0x1410' # Too many false positives
            # - '0x40'   # Too many false positives
        CallTrace|contains:
            - 'dbgcore.dll'
            - 'dbghelp.dll'
            - 'kernel32.dll'
            - 'kernelbase.dll'
            - 'ntdll.dll'
    filter_main_system_user:
        SourceUser|contains: # Covers many language settings
            - 'AUTHORI'
            - 'AUTORI'
    filter_optional_thor:
        CallTrace|contains|all:
            - ':\Windows\Temp\asgard2-agent\'
            - '\thor\thor64.exe+'
            - '|UNKNOWN('
        GrantedAccess: '0x103800'
    filter_optional_sysmon:
        SourceImage|endswith: ':\Windows\Sysmon64.exe'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*