splunk · patel-bhavin · Oct 10, 2025 · Sep 30, 2025 · Sep 30, 2025 · Oct 1, 2025
@@ -1,17 +1,18 @@
 name: Access LSASS Memory for Dump Creation
 id: fb4c31b0-13e8-4155-8aa5-24de4b8d6717
-version: 10
-date: '2025-05-02'
+version: 11
+date: '2025-09-30'
 author: Patrick Bareiss, Splunk
 status: production
 type: TTP
-description: The following analytic detects attempts to dump the LSASS process memory,
-  a common technique in credential dumping attacks. It leverages Sysmon logs, specifically
-  EventCode 10, to identify suspicious call traces to dbgcore.dll and dbghelp.dll
-  associated with lsass.exe. This activity is significant as it often precedes the
-  theft of sensitive login credentials, posing a high risk of unauthorized access
-  to systems and data. If confirmed malicious, attackers could gain access to critical
-  credentials, enabling further compromise and lateral movement within the network.
+description: The following analytic detects attempts to dump the LSASS process 
+  memory, a common technique in credential dumping attacks. It leverages Sysmon 
+  logs, specifically EventCode 10, to identify suspicious call traces to 
+  dbgcore.dll and dbghelp.dll associated with lsass.exe. This activity is 
+  significant as it often precedes the theft of sensitive login credentials, 
+  posing a high risk of unauthorized access to systems and data. If confirmed 
+  malicious, attackers could gain access to critical credentials, enabling 
+  further compromise and lateral movement within the network.
 data_source:
 - Sysmon EventID 10
 search: '`sysmon` EventCode=10 TargetImage=*lsass.exe CallTrace=*dbgcore.dll* OR CallTrace=*dbghelp.dll*
@@ -22,14 +23,15 @@ search: '`sysmon` EventCode=10 TargetImage=*lsass.exe CallTrace=*dbgcore.dll* OR
   process_guid process_id process_name process_path signature signature_id user_id
   vendor_product | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)`
   | `access_lsass_memory_for_dump_creation_filter`'
-how_to_implement: This search requires Sysmon Logs and a Sysmon configuration, which
-  includes EventCode 10 for lsass.exe. This search uses an input macro named `sysmon`.
-  We strongly recommend that you specify your environment-specific configurations
-  (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition
-  with configurations for your Splunk environment. The search also uses a post-filter
-  macro designed to filter out known false positives.
-known_false_positives: Administrators can create memory dumps for debugging purposes,
-  but memory dumps of the LSASS process would be unusual.
+how_to_implement: This search requires Sysmon Logs and a Sysmon configuration, 
+  which includes EventCode 10 for lsass.exe. This search uses an input macro 
+  named `sysmon`. We strongly recommend that you specify your 
+  environment-specific configurations (index, source, sourcetype, etc.) for 
+  Windows Sysmon logs. Replace the macro definition with configurations for your
+  Splunk environment. The search also uses a post-filter macro designed to 
+  filter out known false positives.
+known_false_positives: Administrators can create memory dumps for debugging 
+  purposes, but memory dumps of the LSASS process would be unusual.
 references:
 - https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf
 drilldown_searches:
@@ -47,10 +49,10 @@ drilldown_searches:
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
 rba:
-  message: process $SourceImage$ injected into $TargetImage$ and was attempted dump
-    LSASS on $dest$. Adversaries tend to do this when trying to accesss credential
-    material stored in the process memory of the Local Security Authority Subsystem
-    Service (LSASS).
+  message: process $SourceImage$ injected into $TargetImage$ and was attempted 
+    dump LSASS on $dest$. Adversaries tend to do this when trying to accesss 
+    credential material stored in the process memory of the Local Security 
+    Authority Subsystem Service (LSASS).
   risk_objects:
   - field: dest
     type: system
@@ -63,6 +65,7 @@ tags:
   - CISA AA23-347A
   - Credential Dumping
   - Cactus Ransomware
+  - Lokibot
   asset_type: Windows
   mitre_attack_id:
   - T1003.001
@@ -74,6 +77,7 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon.log
+  - data: 
+      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
     sourcetype: XmlWinEventLog
@@ -1,18 +1,19 @@
 name: Create Remote Thread into LSASS
 id: 67d4dbef-9564-4699-8da8-03a151529edc
-version: 9
-date: '2025-05-02'
+version: 10
+date: '2025-09-30'
 author: Patrick Bareiss, Splunk
 status: production
 type: TTP
-description: The following analytic detects the creation of a remote thread in the
-  Local Security Authority Subsystem Service (LSASS). This behavior is identified
-  using Sysmon EventID 8 logs, focusing on processes that create remote threads in
-  lsass.exe. This activity is significant because it is commonly associated with credential
-  dumping, a tactic used by adversaries to steal user authentication credentials.
-  If confirmed malicious, this could allow attackers to gain unauthorized access to
-  sensitive information, leading to potential compromise of the entire network. Analysts
-  should investigate to differentiate between legitimate tools and potential threats.
+description: The following analytic detects the creation of a remote thread in 
+  the Local Security Authority Subsystem Service (LSASS). This behavior is 
+  identified using Sysmon EventID 8 logs, focusing on processes that create 
+  remote threads in lsass.exe. This activity is significant because it is 
+  commonly associated with credential dumping, a tactic used by adversaries to 
+  steal user authentication credentials. If confirmed malicious, this could 
+  allow attackers to gain unauthorized access to sensitive information, leading 
+  to potential compromise of the entire network. Analysts should investigate to 
+  differentiate between legitimate tools and potential threats.
 data_source:
 - Sysmon EventID 8
 search: '`sysmon` EventID=8 TargetImage=*lsass.exe | stats count min(_time) as firstTime
@@ -22,14 +23,16 @@ search: '`sysmon` EventID=8 TargetImage=*lsass.exe | stats count min(_time) as f
   parent_process_id parent_process_name parent_process_path process_exec process_guid
   process_id process_name process_path signature signature_id user_id vendor_product
   | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `create_remote_thread_into_lsass_filter`'
-how_to_implement: This search needs Sysmon Logs with a Sysmon configuration, which
-  includes EventCode 8 with lsass.exe. This search uses an input macro named `sysmon`.
-  We strongly recommend that you specify your environment-specific configurations
-  (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition
-  with configurations for your Splunk environment. The search also uses a post-filter
-  macro designed to filter out known false positives.
-known_false_positives: Other tools can access LSASS for legitimate reasons and generate
-  an event. In these cases, tweaking the search may help eliminate noise.
+how_to_implement: This search needs Sysmon Logs with a Sysmon configuration, 
+  which includes EventCode 8 with lsass.exe. This search uses an input macro 
+  named `sysmon`. We strongly recommend that you specify your 
+  environment-specific configurations (index, source, sourcetype, etc.) for 
+  Windows Sysmon logs. Replace the macro definition with configurations for your
+  Splunk environment. The search also uses a post-filter macro designed to 
+  filter out known false positives.
+known_false_positives: Other tools can access LSASS for legitimate reasons and 
+  generate an event. In these cases, tweaking the search may help eliminate 
+  noise.
 references:
 - https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf
 drilldown_searches:
@@ -47,8 +50,9 @@ drilldown_searches:
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
 rba:
-  message: A process has created a remote thread into $TargetImage$ on $dest$. This
-    behavior is indicative of credential dumping and should be investigated.
+  message: A process has created a remote thread into $TargetImage$ on $dest$. 
+    This behavior is indicative of credential dumping and should be 
+    investigated.
   risk_objects:
   - field: dest
     type: system
@@ -60,6 +64,7 @@ tags:
   analytic_story:
   - Credential Dumping
   - BlackSuit Ransomware
+  - Lokibot
   asset_type: Windows
   mitre_attack_id:
   - T1003.001
@@ -71,6 +76,7 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon.log
+  - data: 
+      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
     sourcetype: XmlWinEventLog
@@ -1,18 +1,19 @@
 name: Detect Credential Dumping through LSASS access
 id: 2c365e57-4414-4540-8dc0-73ab10729996
-version: 9
-date: '2025-05-02'
+version: 10
+date: '2025-09-30'
 author: Patrick Bareiss, Splunk
 status: production
 type: TTP
-description: The following analytic detects attempts to read LSASS memory, indicative
-  of credential dumping. It leverages Sysmon EventCode 10, filtering for specific
-  access permissions (0x1010 and 0x1410) on the lsass.exe process. This activity is
-  significant because it suggests an attacker is trying to extract credentials from
-  LSASS memory, potentially leading to unauthorized access, data breaches, and compromise
-  of sensitive information. If confirmed malicious, this could enable attackers to
-  escalate privileges, move laterally within the network, or exfiltrate data. Extensive
-  triage is necessary to differentiate between malicious and benign activities.
+description: The following analytic detects attempts to read LSASS memory, 
+  indicative of credential dumping. It leverages Sysmon EventCode 10, filtering 
+  for specific access permissions (0x1010 and 0x1410) on the lsass.exe process. 
+  This activity is significant because it suggests an attacker is trying to 
+  extract credentials from LSASS memory, potentially leading to unauthorized 
+  access, data breaches, and compromise of sensitive information. If confirmed 
+  malicious, this could enable attackers to escalate privileges, move laterally 
+  within the network, or exfiltrate data. Extensive triage is necessary to 
+  differentiate between malicious and benign activities.
 data_source:
 - Sysmon EventID 10
 search: '`sysmon` EventCode=10 TargetImage=*lsass.exe (GrantedAccess=0x1010 OR GrantedAccess=0x1410)
@@ -23,16 +24,17 @@ search: '`sysmon` EventCode=10 TargetImage=*lsass.exe (GrantedAccess=0x1010 OR G
   process_guid process_id process_name process_path signature signature_id user_id
   vendor_product | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
   | `detect_credential_dumping_through_lsass_access_filter`'
-how_to_implement: This search needs Sysmon Logs and a sysmon configuration, which
-  includes EventCode 10 with lsass.exe. This search uses an input macro named `sysmon`.
-  We strongly recommend that you specify your environment-specific configurations
-  (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition
-  with configurations for your Splunk environment. The search also uses a post-filter
-  macro designed to filter out known false positives.
-known_false_positives: The activity may be legitimate. Other tools can access lsass
-  for legitimate reasons, and it's possible this event could be generated in those
-  cases. In these cases, false positives should be fairly obvious and you may need
-  to tweak the search to eliminate noise.
+how_to_implement: This search needs Sysmon Logs and a sysmon configuration, 
+  which includes EventCode 10 with lsass.exe. This search uses an input macro 
+  named `sysmon`. We strongly recommend that you specify your 
+  environment-specific configurations (index, source, sourcetype, etc.) for 
+  Windows Sysmon logs. Replace the macro definition with configurations for your
+  Splunk environment. The search also uses a post-filter macro designed to 
+  filter out known false positives.
+known_false_positives: The activity may be legitimate. Other tools can access 
+  lsass for legitimate reasons, and it's possible this event could be generated 
+  in those cases. In these cases, false positives should be fairly obvious and 
+  you may need to tweak the search to eliminate noise.
 references: []
 drilldown_searches:
 - name: View the detection results for - "$dest$" and "$TargetImage$"
@@ -49,8 +51,9 @@ drilldown_searches:
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
 rba:
-  message: The $SourceImage$ has attempted access to read $TargetImage$ was identified
-    on endpoint $dest$, this is indicative of credential dumping and should be investigated.
+  message: The $SourceImage$ has attempted access to read $TargetImage$ was 
+    identified on endpoint $dest$, this is indicative of credential dumping and 
+    should be investigated.
   risk_objects:
   - field: dest
     type: system
@@ -62,6 +65,7 @@ tags:
   - CISA AA23-347A
   - Credential Dumping
   - BlackSuit Ransomware
+  - Lokibot
   asset_type: Windows
   mitre_attack_id:
   - T1003.001
@@ -73,6 +77,7 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon.log
+  - data: 
+      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
     sourcetype: XmlWinEventLog
@@ -1,7 +1,7 @@
 name: Executables Or Script Creation In Suspicious Path
 id: a7e3f0f0-ae42-11eb-b245-acde48001122
 version: 19
-date: '2025-09-16'
+date: '2025-09-30'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -116,6 +116,7 @@ tags:
   - NailaoLocker Ransomware
   - PromptLock
   - GhostRedirector IIS Module and Rungan Backdoor
+  - Lokibot
   asset_type: Endpoint
   mitre_attack_id:
   - T1036

@@ -1,7 +1,7 @@
 name: Executables Or Script Creation In Temp Path
 id: e0422b71-2c05-4f32-8754-01fb415f49c9
 version: 16
-date: '2025-09-10'
+date: '2025-09-30'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -107,6 +107,7 @@ tags:
   - IcedID
   - Interlock Rat
   - PromptLock
+  - Lokibot
   asset_type: Endpoint
   mitre_attack_id:
   - T1036

@@ -1,30 +1,32 @@
 name: Non Chrome Process Accessing Chrome Default Dir
 id: 81263de4-160a-11ec-944f-acde48001122
-version: 12
-date: '2025-07-16'
+version: 13
+date: '2025-09-30'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
-description: The following analytic detects a non-Chrome process accessing files in
-  the Chrome user default folder. It leverages Windows Security Event logs, specifically
-  event code 4663, to identify unauthorized access attempts. This activity is significant
-  because the Chrome default folder contains sensitive user data such as login credentials,
-  browsing history, and cookies. If confirmed malicious, this behavior could indicate
-  an attempt to exfiltrate sensitive information, often associated with RATs, trojans,
-  and advanced persistent threats like FIN7. Such access could lead to data theft
-  and further compromise of the affected system.
+description: The following analytic detects a non-Chrome process accessing files
+  in the Chrome user default folder. It leverages Windows Security Event logs, 
+  specifically event code 4663, to identify unauthorized access attempts. This 
+  activity is significant because the Chrome default folder contains sensitive 
+  user data such as login credentials, browsing history, and cookies. If 
+  confirmed malicious, this behavior could indicate an attempt to exfiltrate 
+  sensitive information, often associated with RATs, trojans, and advanced 
+  persistent threats like FIN7. Such access could lead to data theft and further
+  compromise of the affected system.
 data_source:
 - Windows Event Log Security 4663
 search: '`wineventlog_security` EventCode=4663 NOT (ProcessName IN ("*\\chrome.exe",
   "*\\explorer.exe", "*sql*", "*\\dllhost.exe")) ObjectName="*\\Google\\Chrome\\User
   Data\\Default*" | stats count min(_time) as firstTime max(_time) as lastTime by
   ObjectName ObjectType ProcessName AccessMask EventCode dest | `security_content_ctime(firstTime)`
   | `security_content_ctime(lastTime)` | `non_chrome_process_accessing_chrome_default_dir_filter`'
-how_to_implement: To successfully implement this search, you must ingest Windows Security
-  Event logs and track event code 4663. For 4663, enable "Audit Object Access" in
-  Group Policy. Then check the two boxes listed for both "Success" and "Failure."
-known_false_positives: other browser not listed related to chrome may catch by this
-  rule.
+how_to_implement: To successfully implement this search, you must ingest Windows
+  Security Event logs and track event code 4663. For 4663, enable "Audit Object 
+  Access" in Group Policy. Then check the two boxes listed for both "Success" 
+  and "Failure."
+known_false_positives: other browser not listed related to chrome may catch by 
+  this rule.
 references: []
 drilldown_searches:
 - name: View the detection results for - "$dest$"
@@ -65,6 +67,7 @@ tags:
   - RedLine Stealer
   - Snake Keylogger
   - China-Nexus Threat Activity
+  - Lokibot
   asset_type: Endpoint
   mitre_attack_id:
   - T1555.003
@@ -76,6 +79,7 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1555/non_chrome_process_accessing_chrome_default_dir/windows-xml.log
+  - data: 
+      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1555/non_chrome_process_accessing_chrome_default_dir/windows-xml.log
     source: XmlWinEventLog:Security
     sourcetype: XmlWinEventLog
@@ -1,7 +1,7 @@
 name: Non Firefox Process Access Firefox Profile Dir
 id: e6fc13b0-1609-11ec-b533-acde48001122
-version: 12
-date: '2025-08-22'
+version: 13
+date: '2025-09-30'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -68,6 +68,7 @@ tags:
   - Snake Keylogger
   - China-Nexus Threat Activity
   - 0bj3ctivity Stealer
+  - Lokibot
   asset_type: Endpoint
   mitre_attack_id:
   - T1555.003

@@ -1,7 +1,7 @@
 name: Scheduled Task Deleted Or Created via CMD
 id: d5af132c-7c17-439c-9d31-13d55340f36c
-version: 20
-date: '2025-08-22'
+version: 21
+date: '2025-09-30'
 author: Bhavin Patel, Splunk
 status: production
 type: TTP
@@ -105,6 +105,7 @@ tags:
   - MoonPeak
   - Scattered Spider
   - 0bj3ctivity Stealer
+  - Lokibot
   asset_type: Endpoint
   mitre_attack_id:
   - T1053.005