-
-
Notifications
You must be signed in to change notification settings - Fork 214
Expand file tree
/
Copy pathcredential_access_suspicious_security_package_loaded_by_lsass.yml
More file actions
26 lines (24 loc) · 1.16 KB
/
credential_access_suspicious_security_package_loaded_by_lsass.yml
File metadata and controls
26 lines (24 loc) · 1.16 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
name: Suspicious security package DLL loaded
id: 2c74f176-9a95-4344-a1aa-15aa06e16919
version: 1.1.3
description: |
Attackers can abuse Windows Security Support Provider and Authentication Packages to
dynamically inject a Security Package into the Local Security Authority Subsystem Service
process to intercept all logon passwords.
labels:
tactic.id: TA0006
tactic.name: Credential Access
tactic.ref: https://attack.mitre.org/tactics/TA0006/
technique.id: T1003
technique.name: OS Credential Dumping
technique.ref: https://attack.mitre.org/techniques/T1003/
subtechnique.id: T1003.001
subtechnique.name: LSASS Memory
subtechnique.ref: https://attack.mitre.org/techniques/T1003/001/
references:
- https://www.sentinelone.com/labs/operation-tainted-love-chinese-apts-target-telcos-in-new-attacks/
- https://www.ired.team/offensive-security/credential-access-and-credential-dumping/intercepting-logon-credentials-via-custom-security-support-provider-and-authentication-package
condition: >
ps.name ~= 'lsass.exe' and thread.callstack.modules imatches ('?:\\Windows\\System32\\sspisrv.dll') and
(load_unsigned_or_untrusted_module)
min-engine-version: 3.0.0