Actors may create a remote thread into the LSASS service as part of a workflow to dump credentials.
|Technique||Subtechnique(s)||Tactic(s)||Level of Coverage|
|OS Credential Dumping||LSASS Memory||Credential Access||Moderate|
Data Model References
Pseudocode – Remote thread creation into LSASS (Pseudocode, CAR native)
Pseudocode implementation of the Splunk search below. The CAR data model does not currently contain a Target Image field, for remote thread creation, so this code Is somewhat inexact. See the Splunk implementation for a more precise search for the lsass image target.
remote_threads = search Thread:remote_create lsass_remote_create = filter remote_threads where "lsass" in raw event output lsass_remote_create
Splunk code (Splunk, )
This search needs Sysmon Logs with a Sysmon configuration, which includes EventCode 8 with lsass.exe. This search uses an input macro named
sysmon. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.
`sysmon` EventID=8 TargetImage=*lsass.exe | stats count min(_time) as firstTime max(_time) as lastTime by Computer, EventCode, TargetImage, TargetProcessId | rename Computer as dest
Test Case 1
Configurations: Using Splunk Attack Range
Replay the detection dataset using the Splunk attack range with the commands below
python attack_range.py replay -dn data_dump [--dump NAME_OF_DUMP]
Test Case 2
Configurations: Using Invoke-AtomicRedTeam
execute the atomic test T1003.001 against a Windows target.