Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhighstable

Credential Dumping Activity By Python Based Tool

Detects LSASS process access for potential credential dumping by a Python-like tool such as LaZagne or Pypykatz.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Bhabesh Raj, Jonhnathan RibeiroCreated Mon Nov 27Updated Wed Nov 29f8be3e82-46a3-4e4e-ada5-8e538ae8b9c9windows
Log Source
WindowsProcess Access
ProductWindows← raw: windows
CategoryProcess Access← raw: process_access

Events when a process opens a handle to another process, commonly used for credential dumping via LSASS.

Detection Logic
Detection Logic1 selector
detection:
    selection:
        TargetImage|endswith: '\lsass.exe'
        CallTrace|contains|all:
            - '_ctypes.pyd+'
            - ':\Windows\System32\KERNELBASE.dll+'
            - ':\Windows\SYSTEM32\ntdll.dll+'
        CallTrace|contains:
            - 'python27.dll+'
            - 'python3*.dll+'
        GrantedAccess: '0x1FFFFF'
    condition: selection
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
twitter.com
2
Resolving title…
github.com
MITRE ATT&CK
Related Rules
Similar

4b9a8556-99c4-470b-a40c-9c8d02c77ed0

Rule not found
Similar

7186e989-4ed7-4f4e-a656-4674b9e3e48b

Rule not found
Rule Metadata
Rule ID
f8be3e82-46a3-4e4e-ada5-8e538ae8b9c9
Status
stable
Level
high
Type
Detection
Created
Mon Nov 27
Modified
Wed Nov 29
Author
Bhabesh Raj, Jonhnathan Ribeiro
Path
rules/windows/process_access/proc_access_win_lsass_python_based_tool.yml
Raw Tags
attack.credential-accessattack.t1003.001attack.s0349
View on GitHub