Techniques
Sample rules
Potential Credential Dumping Via WER - Application
- source: sigma
- technicques:
- t1003
- t1003.001
Description
Detects Windows error reporting event where the process that crashed is lsass. This could be the cause of an intentional crash by techniques such as Lsass-Shtinkering to dump credential
Detection logic
condition: selection
selection:
AppName: lsass.exe
EventID: 1000
ExceptionCode: c0000001
Provider_Name: Application Error