Detect remote thread creation into LSASS consistent with credential dumping.
- Type: TTP
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Last Updated: 2019-12-06
- Author: Patrick Bareiss, Splunk
- ID: 67d4dbef-9564-4699-8da8-03a151529edc
|T1003.001||LSASS Memory||Credential Access|
|T1003||OS Credential Dumping||Credential Access|
`sysmon` EventID=8 TargetImage=*lsass.exe | stats count min(_time) as firstTime max(_time) as lastTime by Computer, EventCode, TargetImage, TargetProcessId | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `create_remote_thread_into_lsass_filter`
Associated Analytic Story
How To Implement
This search needs Sysmon Logs with a Sysmon configuration, which includes EventCode 8 with lsass.exe. This search uses an input macro named
sysmon. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.
Kill Chain Phase
- Actions on Objectives
Known False Positives
Other tools can access LSASS for legitimate reasons and generate an event. In these cases, tweaking the search may help eliminate noise.
|81.0||90||90||A process has created a remote thread into $TargetImage$ on $dest$. This behavior is indicative of credential dumping and should be investigated.|
source | version: 1