LSASS Dumping Patterns

Rule Info

Name
LSASS Dumping Patterns
Author
Florian Roth (Nextron Systems)
Description
Detects suspicious process patterns found in relation to LSASS process memory dumping
Reference
https://ppn.snovvcrash.rocks/pentest/infrastructure/ad/credential-harvesting/from-memory/lsass-exe
Date
2023-05-18 00:00:00
Modified
2023-05-19 00:00:00
Id
ae03b52d-fa63-472f-a4ae-5ec452522b68
Tags
attack.credential_access attack.t1003.001
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022