Suspicious Process Access
These detections identify suspicious activity from Sysmon Process Access records collected by Insight Agent from Windows endpoints.
Suspicious Process Access - Possible Mimikatz LSADUMP::lsa /Inject
Description
This detection identifies the potential in-memory usage of Mimikatz utility with LSADUMP::lsa /Inject command.
Recommendation
Review the alert in question and investigate the Process (SourceImage) that generated this event. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- OS Credential Dumping - T1003
Suspicious Process Access - Possible Mimikatz LSADUMP::lsa /patch
Description
This detection identifies the potential in-memory usage of Mimikatz utility with LSADUMP::lsa /patch commands.
Recommendation
Review the alert in question and investigate the Process (SourceImage) that generated this event. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- OS Credential Dumping - T1003
Suspicious Process Access - Possible Procdump Using MiniDumpWriteDump Function
Description
This detection identifies possible use of memory dumping utility 'procdump.exe' using MiniDumpWriteDump function against the Local Security Authority Subsystem Service (LSASS), or ‘lsass.exe’ process. This technique is used by malicious actors and penetration testers to acquire the memory contents of the process and extract credentials from it with tools, such as Mimikatz.
Recommendation
Review the alert in question and investigate the Process (SourceImage) that generated this event. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- OS Credential Dumping - T1003
Suspicious Process Access - Possible Procdump Using PssCaptureSnapShot Function
Description
This detection identifies possible use of memory dumping utility 'procdump.exe' using PssCaptureSnapShot function against the Local Security Authority Subsystem Service (LSASS), or ‘lsass.exe’ process. This technique is used by malicious actors and penetration testers to acquire the memory contents of the process and extract credentials from it with tools, such as Mimikatz.
Recommendation
Review the alert in question and investigate the Process (SourceImage) that generated this event. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- OS Credential Dumping - T1003
Suspicious Process Access - Unusual Lsass.exe Memory Access
Description
This detection identifies an unusual process accessing LSASS.exe in memory. This technique is used by malicious actors and penetration testers to acquire the memory contents of the process and extract credentials from it with tools, such as Mimikatz.
Recommendation
Review the alert in question and the Process (SourceImage) that accessed the LSASS.exe in Memory. Investigate other process activity around the same time as the command for anything suspicious. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- OS Credential Dumping - T1003