Suspicious Process Access
Copy link

Suspicious Process Access
Copy link

These detections identify suspicious activity from Sysmon Process Access records collected by Insight Agent from Windows endpoints.

Suspicious Process Access - Possible Mimikatz LSADUMP::lsa /Inject

Description
Copy link

This detection identifies the potential in-memory usage of Mimikatz utility with LSADUMP::lsa /Inject command.

Recommendation
Copy link

Review the alert in question and investigate the Process (SourceImage) that generated this event. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques
Copy link

  • OS Credential Dumping - T1003

Suspicious Process Access - Possible Mimikatz LSADUMP::lsa /patch

Description
Copy link

This detection identifies the potential in-memory usage of Mimikatz utility with LSADUMP::lsa /patch commands.

Recommendation
Copy link

Review the alert in question and investigate the Process (SourceImage) that generated this event. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques
Copy link

  • OS Credential Dumping - T1003

Suspicious Process Access - Possible Procdump Using MiniDumpWriteDump Function

Description
Copy link

This detection identifies possible use of memory dumping utility ‘procdump.exe’ using MiniDumpWriteDump function against the Local Security Authority Subsystem Service (LSASS), or ‘lsass.exe’ process. This technique is used by malicious actors and penetration testers to acquire the memory contents of the process and extract credentials from it with tools, such as Mimikatz.

Recommendation
Copy link

Review the alert in question and investigate the Process (SourceImage) that generated this event. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques
Copy link

  • OS Credential Dumping - T1003

Suspicious Process Access - Possible Procdump Using PssCaptureSnapShot Function

Description
Copy link

This detection identifies possible use of memory dumping utility ‘procdump.exe’ using PssCaptureSnapShot function against the Local Security Authority Subsystem Service (LSASS), or ‘lsass.exe’ process. This technique is used by malicious actors and penetration testers to acquire the memory contents of the process and extract credentials from it with tools, such as Mimikatz.

Recommendation
Copy link

Review the alert in question and investigate the Process (SourceImage) that generated this event. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques
Copy link

  • OS Credential Dumping - T1003

Suspicious Process Access - Unusual Lsass.exe Memory Access

Description
Copy link

This detection identifies an unusual process accessing LSASS.exe in memory. This technique is used by malicious actors and penetration testers to acquire the memory contents of the process and extract credentials from it with tools, such as Mimikatz.

Recommendation
Copy link

Review the alert in question and the Process (SourceImage) that accessed the LSASS.exe in Memory. Investigate other process activity around the same time as the command for anything suspicious. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques
Copy link

  • OS Credential Dumping - T1003