sigmahighTTP

Password Dumper Remote Thread in LSASS

Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundreds of events.

MITRE ATT&CK

S0005 T1003.001

credential-access

Detection Query

selection:
  TargetImage|endswith: \lsass.exe
  StartModule: ""
condition: selection

Author

Thomas Patzke

Created

2017-02-19

Data Sources

windowsRemote Thread Creation

Platforms

windows

References

https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm

Tags

attack.credential-accessattack.s0005attack.t1003.001

Raw Content

title: Password Dumper Remote Thread in LSASS
id: f239b326-2f41-4d6b-9dfa-c846a60ef505
status: stable
description: |
    Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage.
    The process in field Process is the malicious program. A single execution can lead to hundreds of events.
references:
    - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm
author: Thomas Patzke
date: 2017-02-19
modified: 2021-06-21
tags:
    - attack.credential-access
    - attack.s0005
    - attack.t1003.001
logsource:
    product: windows
    category: create_remote_thread
detection:
    selection:
        TargetImage|endswith: '\lsass.exe'
        StartModule: ''
    condition: selection
falsepositives:
    - Antivirus products
level: high