Create Remote Thread Into LSASS


Detect remote thread creation into LSASS consistent with credential dumping.


Create Remote Thread Into LSASS Help

This search needs Sysmon Logs with a Sysmon configuration, which includes EventCode 8 with lsass.exe. This search uses an input macro named sysmon. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.


Open in Search