← Library
kqlElastic-2.0from elastic/detection-rules

LSASS Memory Dump Handle Access

Quality
92
FP risk
Forks
0
Views
0
ATT&CK techniques
T1003T1003.001
Rule sourcerules/windows/credential_access_lsass_memdump_handle_access.toml
host.os.type:"windows" and event.code:"4656" and
  (
    winlog.event_data.AccessMask : ("0x1fffff" or "0x1010" or "0x120089" or "0x1F3FFF") or
    winlog.event_data.AccessMaskDescription : ("READ_CONTROL" or "Read from process memory")
  ) and
  winlog.event_data.ObjectName : *\\Windows\\System32\\lsass.exe and
  not winlog.event_data.ProcessName : (
      "C:\Windows\System32\wbem\WmiPrvSE.exe" or
      "C:\Windows\SysWOW64\wbem\WmiPrvSE.exe" or
      "C:\Windows\System32\dllhost.exe" or
      "C:\Windows\System32\svchost.exe" or
      "C:\Windows\System32\msiexec.exe" or
      "C:\Windows\explorer.exe"
  )