LoFP LoFP / other tools can access lsass for legitimate reasons and generate an event. in these cases, tweaking the search may help eliminate noise.

Techniques

Sample rules

Create Remote Thread into LSASS

Description

The following analytic detects the creation of a remote thread in the Local Security Authority Subsystem Service (LSASS). This behavior is identified using Sysmon EventID 8 logs, focusing on processes that create remote threads in lsass.exe. This activity is significant because it is commonly associated with credential dumping, a tactic used by adversaries to steal user authentication credentials. If confirmed malicious, this could allow attackers to gain unauthorized access to sensitive information, leading to potential compromise of the entire network. Analysts should investigate to differentiate between legitimate tools and potential threats.

Detection logic

`sysmon` EventID=8 TargetImage=*lsass.exe 
| stats count min(_time) as firstTime max(_time) as lastTime by EventID Guid NewThreadId ProcessID SecurityID SourceImage SourceProcessGuid SourceProcessId StartAddress StartFunction StartModule TargetImage TargetProcessGuid TargetProcessId UserID dest parent_process_exec parent_process_guid parent_process_id parent_process_name parent_process_path process_exec process_guid process_id process_name process_path signature signature_id user_id vendor_product 
| `security_content_ctime(firstTime)` 
|`security_content_ctime(lastTime)` 
| `create_remote_thread_into_lsass_filter`