Techniques
Sample rules
Password Dumper Remote Thread in LSASS
- source: sigma
- technicques:
- t1003
- t1003.001
Description
Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundreds of events.
Detection logic
condition: selection
selection:
StartModule: ''
TargetImage|endswith: \lsass.exe