Detect Credential Dumping Through LSASS Access

Description

This search looks for reading lsass memory consistent with credential dumping.

   Help

Detect Credential Dumping Through LSASS Access Help

This search needs Sysmon Logs and a sysmon configuration, which includes EventCode 10 with lsass.exe. This search uses an input macro named sysmon. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.

   Search

Open in Search