heroui logo

Potential Credential Dumping Via LSASS SilentProcessExit Technique

Sigma Rules

View Source
Summary
This detection rule identifies potential credential dumping activity through the monitoring of changes made to the Windows Registry, specifically targeting the 'SilentProcessExit' property associated with the lsass.exe process. The rule detects when an unauthorized or malicious monitoring program is registered to dump memory from the Local Security Authority Subsystem Service (LSASS). LSASS is a crucial Windows system process that handles authentication and can contain sensitive information, such as credentials. Utilizing techniques to evade detection, attackers may modify the Registry to register their tools, thus enabling stealthy credential dumping. This rule flags such Registry modifications for further investigation, helping to protect against credential theft and maintaining system integrity.
Categories
  • Endpoint
  • Windows
Data Sources
  • Windows Registry
Created: 2021-02-26