Detection rules › By event

Microsoft-Windows-Sysmon event 10

44 detection rules reference this event. View event page.

Sigma (23)

CMSTP Execution Process Access severity high T1218.003, T1559.001
Credential Dumping Activity By Python Based Tool severity high T1003.001
Credential Dumping Attempt Via Svchost severity high T1548
Credential Dumping Attempt Via WerFault severity high T1003.001
Function Call From Undocumented COM Interface EditionUpgradeManager severity medium T1548.002
HackTool - CobaltStrike BOF Injection Pattern severity high T1106, T1562.001
HackTool - Generic Process Access severity high T1003.001
HackTool - HandleKatz Duplicating LSASS Handle severity high T1003.001, T1106
HackTool - LittleCorporal Generated Maldoc Injection severity high T1055.003, T1204.002
HackTool - SysmonEnte Execution severity high T1562.002
LSASS Access From Potentially White-Listed Processes severity high T1003.001
LSASS Memory Access by Tool With Dump Keyword In Name severity high T1003.001
Lsass Memory Dump via Comsvcs DLL severity high T1003.001
Potential Credential Dumping Activity Via LSASS severity medium T1003.001
Potential Direct Syscall of NtOpenProcess severity medium T1106
Potentially Suspicious GrantedAccess Flags On LSASS severity medium T1003.001
Remote LSASS Process Access Through Windows Remote Management severity high T1003.001, T1021.006, T1059.001
Suspicious LSASS Access Via MalSecLogon severity high T1003.001
Suspicious Process Access of MsMpEng by WerFaultSecure - EDR-Freeze severity high T1562.001
Suspicious Process Access to LSASS with Dbgcore/Dbghelp DLLs severity high T1003.001, T1562.001
Suspicious Svchost Process Access severity high T1562.002
UAC Bypass Using WOW64 Logger DLL Hijack severity high T1548.002
Uncommon Process Access Rights For Target Image severity low T1055.011