Detect Credential Dumping Through LSASS Access
This search looks for reading lsass memory consistent with credential dumping.
This content is not mapped to any local saved search. Add mapping
Detect Credential Dumping Through LSASS Access Help
This search needs Sysmon Logs and a sysmon configuration, which includes EventCode 10 with lsass.exe. This search uses an input macro named
Open in Search