Detection rules › Splunk
Create Remote Thread into LSASS
The following analytic detects the creation of a remote thread in the Local Security Authority Subsystem Service (LSASS). This behavior is identified using Sysmon EventID 8 logs, focusing on processes that create remote threads in lsass.exe. This activity is significant because it is commonly associated with credential dumping, a tactic used by adversaries to steal user authentication credentials. If confirmed malicious, this could allow attackers to gain unauthorized access to sensitive information, leading to potential compromise of the entire network. Analysts should investigate to differentiate between legitimate tools and potential threats.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Credential Access | T1003.001 OS Credential Dumping: LSASS Memory |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 8 | CreateRemoteThread |
Stages and Predicates
Stage 1: search
search EventID=8 TargetImage="*lsass.exe"
Stage 2: stats
stats BY EventID, Guid, NewThreadId, ProcessID, SecurityID, SourceImage, SourceProcessGuid, SourceProcessId, StartAddress, StartFunction, StartModule, TargetImage, TargetProcessGuid, TargetProcessId, UserID, dest, parent_process_exec, parent_process_guid, parent_process_id, parent_process_name, parent_process_path, process_exec, process_guid, process_id, process_name, process_path, signature, signature_id, user_id, vendor_product
Stage 3: search
search
Stage 4: search
search
Stage 5: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventID | eq |
|
TargetImage | eq |
|