Detectionhightest

Password Dumper Activity on LSASS

Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

sigmaCreated Sun Feb 12Updated Sun Oct 09aa1697b7-d611-4f9a-9cb2-5125b4ccfd5cwindows

Log Source

Windowssecurity

ProductWindows← raw: windows

Servicesecurity← raw: security

Detection Logic

detection:
    selection:
        EventID: 4656
        ProcessName|endswith: '\lsass.exe'
        AccessMask: '0x705'
        ObjectType: 'SAM_DOMAIN'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

twitter.com

MITRE ATT&CK

Tactics

TA0006 · Credential Access

Sub-techniques

T1003.001 · LSASS Memory

Rule Metadata

Rule ID

aa1697b7-d611-4f9a-9cb2-5125b4ccfd5c

Status

test

Level

high

Type

Detection

Created

Sun Feb 12

Modified

Sun Oct 09

Author

sigma

Path

rules/windows/builtin/security/win_security_susp_lsass_dump.yml

Raw Tags

attack.credential-accessattack.t1003.001

View on GitHub