This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

LSASS Password Dump in Packets

WesMorales
New Contributor
New Contributor

‎2021-01-27 10:24 AM

Hello RSA community,
We are looking for a way to better key in on LSASS Hash harvesting in packet capture.  Currently we are keying off of the event directory being system32\ however we are looking for other relevant meta for a custom ESA alert.  I would like to use action is equal to "kerberos ap request" but there are a large amount of false positives with that logic.  If anyone has any recommendations on how to better alert on this activity in packet traffic I would be very interested.  RSA Live seems to have some oob rules for this activity but they all look to be for endpoint and log not packet traffic. 
Thanks for the feedback.    

0 Likes
1 REPLY 1

DavidGassman2
Occasional Contributor
Occasional Contributor

‎2021-01-27 03:32 PM

pastedImage_1.png

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.