Techniques
Sample rules
Create Remote Thread into LSASS
- source: splunk
- technicques:
- T1003.001
- T1003
Description
The following analytic detects the creation of a remote thread in the Local Security Authority Subsystem Service (LSASS), which is a common tactic used by adversaries to steal user authentication credentials, known as credential dumping. The detection is made by leveraging Sysmon Event ID 8 logs and searches for processes that create remote threads in lsass.exe. This is an unusual activity that is generally linked to credential theft or credential dumping, which is a significant threat to network security. The detection is important because it helps to detect potential credential dumping attacks, which can result in significant damage to an organization’s security. False positives might occur though the confidence level of this alert is high. There might be cases where legitimate tools can access LSASS and generate similar logs. Therefore, you must understand the broader context of such events and differentiate between legitimate activities and possible threats.
Detection logic
`sysmon` EventID=8 TargetImage=*lsass.exe
| stats count min(_time) as firstTime max(_time) as lastTime by dest, EventCode, TargetImage, TargetProcessId
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `create_remote_thread_into_lsass_filter`