Sponsor of the Day:
Jerkmate
https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_sysinternals_procdump_lsass/
Potential LSASS Process Dump Via Procdump | Detection.FYI
Detects potential credential harvesting attempts through LSASS memory dumps using ProcDump. This rule identifies suspicious command-line patterns that combine …
detection fyipotentiallsassprocessdump
https://detection.fyi/sigmahq/sigma/windows/process_access/proc_access_win_lsass_remote_access_trough_winrm/
Remote LSASS Process Access Through Windows Remote Management | Detection.FYI
Detects remote access to the LSASS process via WinRM. This could be a sign of credential dumping from tools like mimikatz.
process accesswindows managementdetection fyiremotelsass
https://attack.mitre.org/techniques/T1003/001/
OS Credential Dumping: LSASS Memory, Sub-technique T1003.001 - Enterprise | MITRE ATT&CK®
os credential dumpingsub technique t1003001 enterprise mitrelsassmemory
https://detection.fyi/sigmahq/sigma/windows/builtin/security/win_security_susp_lsass_dump/
Password Dumper Activity on LSASS | Detection.FYI
Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN
detection fyipassworddumperactivitylsass