<<< Hide Navigation Hide TOC >>>
LSASS Access From Potentially White-Listed Processes (4be8b654-0c01-4c9d-a10c-6b28467fc651)
Detects a possible process memory dump that uses a white-listed filename like TrolleyExpress.exe as a way to dump the LSASS process memory without Microsoft Defender interference
Cluster A![]() |
Galaxy A![]() |
Cluster B![]() |
Galaxy B![]() |
Level![]() |
---|---|---|---|---|
LSASS Access From Potentially White-Listed Processes (4be8b654-0c01-4c9d-a10c-6b28467fc651) | Sigma-Rules | LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) | Attack Pattern | 1 |
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) | Attack Pattern | LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) | Attack Pattern | 2 |