lsass-credential-dumping

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Content Index

This query looks for signs of credential dumping based on process activity instead of targeting process names. Author: Jouni Mikkola More info: https://threathunt.blog/lsass-credential-dumping/

Attribute Value
Type Hunting Query
Solution GitHub Only
ID a50138af-4bad-4615-9e55-ced36a836806
Tactics CredentialAccess
Techniques T1003.001
Required Connectors MicrosoftThreatProtection
Source View on GitHub

Tables Used

This content item queries data from the following tables:

Table Selection Criteria Transformations Ingestion API Lake-Only
DeviceEvents ActionType in "FileCreated,OpenProcessApiCall" ?
DeviceFileEvents ?

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Hunting Queries