title: Password Dumper Remote Thread in LSASS
author: Thomas Patzke
date: 2017/02/19
description: Detects password dumper activity by monitoring remote thread creation
    EventID 8 in combination with the lsass.exe process as TargetImage. The process
    in field Process is the malicious program. A single execution can lead to hundreds
    of events.
detection:
    SELECTION_1:
        EventID: 8
    SELECTION_2:
        TargetImage: '*\lsass.exe'
    SELECTION_3:
        StartModule: ''
    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Antivirus products
id: f239b326-2f41-4d6b-9dfa-c846a60ef505
level: high
logsource:
    category: create_remote_thread
    product: windows
modified: 2021/06/21
references:
- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm
status: stable
tags:
- attack.credential_access
- attack.t1003
- attack.s0005
- attack.t1003.001
yml_filename: sysmon_password_dumper_lsass.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/create_remote_thread