← Back to Explore
splunk_escuTTP
Create Remote Thread into LSASS
The following analytic detects the creation of a remote thread in the Local Security Authority Subsystem Service (LSASS). This behavior is identified using Sysmon EventID 8 logs, focusing on processes that create remote threads in lsass.exe. This activity is significant because it is commonly associated with credential dumping, a tactic used by adversaries to steal user authentication credentials. If confirmed malicious, this could allow attackers to gain unauthorized access to sensitive information, leading to potential compromise of the entire network. Analysts should investigate to differentiate between legitimate tools and potential threats.
Detection Query
`sysmon`
EventID=8
TargetImage="*\\lsass.exe"
| stats count min(_time) as firstTime
max(_time) as lastTime
values(NewThreadId) as "NewThreadId"
values(StartAddress) as "StartAddress"
by dest signature_id signature
SourceProcessGuid SourceProcessId SourceImage
TargetProcessGuid TargetProcessId TargetImage
StartModule StartFunction vendor_product
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `create_remote_thread_into_lsass_filter`Author
Patrick Bareiss, Splunk
Data Sources
Sysmon EventID 8
Raw Content
name: Create Remote Thread into LSASS
id: 67d4dbef-9564-4699-8da8-03a151529edc
version: 15
creation_date: '2019-12-11'
modification_date: '2026-06-29'
author: Patrick Bareiss, Splunk
status: production
type: TTP
description: |-
The following analytic detects the creation of a remote thread in the Local Security Authority Subsystem Service (LSASS).
This behavior is identified using Sysmon EventID 8 logs, focusing on processes that create remote threads in lsass.exe.
This activity is significant because it is commonly associated with credential dumping, a tactic used by adversaries to steal user authentication credentials.
If confirmed malicious, this could allow attackers to gain unauthorized access to sensitive information, leading to potential compromise of the entire network.
Analysts should investigate to differentiate between legitimate tools and potential threats.
data_source:
- Sysmon EventID 8
search: |-
`sysmon`
EventID=8
TargetImage="*\\lsass.exe"
| stats count min(_time) as firstTime
max(_time) as lastTime
values(NewThreadId) as "NewThreadId"
values(StartAddress) as "StartAddress"
by dest signature_id signature
SourceProcessGuid SourceProcessId SourceImage
TargetProcessGuid TargetProcessId TargetImage
StartModule StartFunction vendor_product
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `create_remote_thread_into_lsass_filter`
how_to_implement: This search needs Sysmon Logs with a Sysmon configuration, which includes EventCode 8 with lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.
known_false_positives: Other tools can access LSASS for legitimate reasons and generate an event. In these cases, tweaking the search may help eliminate noise.
references:
- https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf
drilldown_searches:
- name: View the detection results for - "$dest$"
search: '%original_detection_search% | search dest = "$dest$"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: 7d
latest_offset: "0"
finding:
title: A process has created a remote thread into $TargetImage$ on $dest$. This behavior is indicative of credential dumping and should be investigated.
entity:
field: dest
type: system
score: 50
threat_objects:
- field: TargetImage
type: process_name
analytic_story:
- Credential Dumping
- BlackSuit Ransomware
- Lokibot
asset_type: Windows
mitre_attack_id:
- T1003.001
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
category: endpoint
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon.log
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: XmlWinEventLog
test_type: unit