==================================================

CREATED: WIN-POSSIBLE-MIMIKATZ-LOGGEDONPASSWORDS (#1943)

Description

This detector identifies processes calling OpenProcess to lsass.exe with the permissions requested VirtualMemoryRead and QueryLimitedInformation. This behavior has been commonly observed with the execution of credential theft tools.  

ATT&CK Technique T1003

==================================================

CREATED: WIN-HH-RENAMED (#1960)

Description

This detector identifies whenever the metadata of the Windows HTML Help Executable Program (hh.exe) is used by another process.

ATT&CK Technique T1036

Did this answer your question?