Rule Library
Sigma Rules
3 rules found for "@pbssubhash"
3,707Total
3,116Detection
451Emerging
137Hunting
Detectionhightest
LSASS Process Dump Artefact In CrashDumps Folder
Detects the presence of an LSASS dump file in the "CrashDumps" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Error Reporting to dump said process.
WindowsFile Event
TA0006 · Credential AccessT1003.001 · LSASS Memory
@pbssubhashThu Dec 08windows
Detectionhightest
Potential Credential Dumping Via WER
Detects potential credential dumping via Windows Error Reporting LSASS Shtinkering technique which uses the Windows Error Reporting to dump lsass
WindowsProcess Creation
TA0006 · Credential AccessT1003.001 · LSASS Memory
@pbssubhash+1Thu Dec 08windows
Detectionhightest
Lsass Full Dump Request Via DumpType Registry Settings
Detects the setting of the "DumpType" registry value to "2" which stands for a "Full Dump". Technique such as LSASS Shtinkering requires this value to be "2" in order to dump LSASS.
WindowsRegistry Set
TA0006 · Credential AccessT1003.001 · LSASS Memory
@pbssubhashThu Dec 08windows