sysmon-config icon indicating copy to clipboard operation
sysmon-config copied to clipboard

Published 20 hours ago verified publisher icon SwiftOnSecurity

Adding GrantedAccess filter for catching credential dump.

Open deftoner opened this issue 3 years ago • 0 comments

Modification: Under <ProcessAccess> group add: <GrantedAccess condition="is">0x1010</GrantedAccess>

That will catch when tools like mimikatz trigger a credential dump.

Screenshot-2020-12-23-12-15 (2)

deftoner avatar Dec 23 '20 17:12 deftoner