sigmaDRL-1.1from SigmaHQ/sigma
Potential Credential Dumping Via LSASS SilentProcessExit Technique
Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process
Quality
100
FP risk
—
Forks
0
Views
0
ATT&CK techniques
Rule sourcerules/windows/registry/registry_event/registry_event_silentprocessexit_lsass.yml
title: Potential Credential Dumping Via LSASS SilentProcessExit Technique
id: 55e29995-75e7-451a-bef0-6225e2f13597
related:
- id: 36803969-5421-41ec-b92f-8500f79c23b0
type: similar
status: test
description: Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process
references:
- https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/
- https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/
author: Florian Roth (Nextron Systems)
date: 2021-02-26
modified: 2022-12-19
tags:
- attack.credential-access
- attack.t1003.001
logsource:
category: registry_event
product: windows
detection:
selection:
TargetObject|contains: 'Microsoft\Windows NT\CurrentVersion\SilentProcessExit\lsass.exe'
condition: selection
falsepositives:
- Unlikely
level: critical