title: Potential Credential Dumping Activity Via LSASS id: 5ef9853e-4d0e-4a70-846f-a9ca37d876da status: test description: | Detects process access requests to the LSASS process with specific call trace calls and access masks. This behaviour is expressed by many credential dumping tools such as Mimikatz, NanoDump, Invoke-Mimikatz, Procdump and even the Taskmgr dumping feature. references: - https://web.archive.org/web/20230329170326/https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html - https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.001/T1003.001.md - https://research.splunk.com/endpoint/windows_possible_credential_dumping/ author: Samir Bousseaden, Michael Haag date: 2019-04-03 modified: 2024-03-02 tags: - attack.credential-access - attack.t1003.001 - attack.s0002 logsource: category: process_access product: windows detection: selection: TargetImage|endswith: '\lsass.exe' GrantedAccess|contains: - '0x1038' - '0x1438' - '0x143a' - '0x1fffff' # Too many false positives # - '0x01000' # Too many false positives # - '0x1010' # Too many false positives # - '0x1400' # Too many false positives # - '0x1410' # Too many false positives # - '0x40' # Too many false positives CallTrace|contains: - 'dbgcore.dll' - 'dbghelp.dll' - 'kernel32.dll' - 'kernelbase.dll' - 'ntdll.dll' filter_main_system_user: SourceUser|contains: # Covers many language settings - 'AUTHORI' - 'AUTORI' filter_optional_thor: CallTrace|contains|all: - ':\Windows\Temp\asgard2-agent\' - '\thor\thor64.exe+' - '|UNKNOWN(' GrantedAccess: '0x103800' filter_optional_sysmon: SourceImage|endswith: ':\Windows\Sysmon64.exe' condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: - Unknown level: medium