← Back to Explore
sigmahighTTP
Credential Dumping Activity By Python Based Tool
Detects LSASS process access for potential credential dumping by a Python-like tool such as LaZagne or Pypykatz.
Detection Query
selection:
TargetImage|endswith: \lsass.exe
CallTrace|contains|all:
- _ctypes.pyd+
- :\Windows\System32\KERNELBASE.dll+
- :\Windows\SYSTEM32\ntdll.dll+
CallTrace|contains:
- python27.dll+
- python3*.dll+
GrantedAccess: "0x1FFFFF"
condition: selection
Author
Bhabesh Raj, Jonhnathan Ribeiro
Created
2023-11-27
Data Sources
windowsProcess Access Events
Platforms
windows
Tags
attack.credential-accessattack.t1003.001attack.s0349
Raw Content
title: Credential Dumping Activity By Python Based Tool
id: f8be3e82-46a3-4e4e-ada5-8e538ae8b9c9
related:
- id: 4b9a8556-99c4-470b-a40c-9c8d02c77ed0
type: obsolete
- id: 7186e989-4ed7-4f4e-a656-4674b9e3e48b
type: obsolete
status: stable
description: Detects LSASS process access for potential credential dumping by a Python-like tool such as LaZagne or Pypykatz.
references:
- https://twitter.com/bh4b3sh/status/1303674603819081728
- https://github.com/skelsec/pypykatz
author: Bhabesh Raj, Jonhnathan Ribeiro
date: 2023-11-27
modified: 2023-11-29
tags:
- attack.credential-access
- attack.t1003.001
- attack.s0349
logsource:
category: process_access
product: windows
detection:
selection:
TargetImage|endswith: '\lsass.exe'
CallTrace|contains|all:
- '_ctypes.pyd+'
- ':\Windows\System32\KERNELBASE.dll+'
- ':\Windows\SYSTEM32\ntdll.dll+'
CallTrace|contains:
- 'python27.dll+'
- 'python3*.dll+'
GrantedAccess: '0x1FFFFF'
condition: selection
falsepositives:
- Unknown
level: high