security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a0bad54dbda170d5369f54ccede5f11f999da4de
blue-team-tools/rules/windows/sysmon/sysmon_password_dumper_lsass.yml
T

25 lines
788 B
YAML
Raw Normal View History

Added UUIDs to rules
2019-11-12 23:12:27 +01:00
title: Password Dumper Remote Thread in LSASS
id: f239b326-2f41-4d6b-9dfa-c846a60ef505
description: Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process
in field Process is the malicious program. A single execution can lead to hundreds of events.
ATT&CK tagging
2018-07-17 23:58:11 +02:00
references:
- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm
status: stable
Added "logsource" sections and new rule
2017-02-19 00:31:59 +01:00
author: Thomas Patzke
logsource:
Sysmon as 'service' of product 'windows'
2017-03-13 09:23:08 +01:00
product: windows
service: sysmon
New rules and cleanup
2017-02-12 15:50:39 +01:00
detection:
selection:
Rule review and cleanup
2017-02-15 23:53:08 +01:00
EventID: 8
Various rule fixes
2018-03-26 22:53:38 +02:00
TargetImage: 'C:\Windows\System32\lsass.exe'
Added proper handling of null/not null values
2017-10-29 23:57:39 +01:00
StartModule: null
New rules and cleanup
2017-02-12 15:50:39 +01:00
condition: selection
ATT&CK tagging
2018-07-17 23:58:11 +02:00
tags:
- attack.credential_access
- attack.t1003
- attack.s0005
New rules and cleanup
2017-02-12 15:50:39 +01:00
falsepositives:
- unknown
Levels to low, medium, high, critical
2017-02-16 18:02:26 +01:00
level: high
Reference in New Issue Copy Permalink