Detectionhighstable

Password Dumper Remote Thread in LSASS

Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundreds of events.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Thomas PatzkeCreated Sun Feb 19Updated Mon Jun 21f239b326-2f41-4d6b-9dfa-c846a60ef505windows

Log Source

WindowsRemote Thread Creation

ProductWindows← raw: windows

CategoryRemote Thread Creation← raw: create_remote_thread

Detection Logic

detection:
    selection:
        TargetImage|endswith: '\lsass.exe'
        StartModule: ''
    condition: selection

False Positives

Antivirus products

References

Resolving title…

jpcertcc.github.io

MITRE ATT&CK

Tactics

TA0006 · Credential Access

Sub-techniques

T1003.001 · LSASS Memory

Software

S0005 · S0005

Rule Metadata

Rule ID

f239b326-2f41-4d6b-9dfa-c846a60ef505

Status

stable

Level

high

Type

Detection

Created

Sun Feb 19

Modified

Mon Jun 21

Author

Thomas Patzke

Path

rules/windows/create_remote_thread/create_remote_thread_win_susp_password_dumper_lsass.yml

Raw Tags

attack.credential-accessattack.s0005attack.t1003.001

View on GitHub