Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
6 Hours |
Required Data |
|
Detection Modules |
|
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Medium |
Description
Lsass.exe does not normally create executables to disk. This activity was seen as part of several exploits, like EternalBlue and DoublePulsar, used during the WannaCry attacks.
Attacker's Goals
This activity was an important stage for several exploits.
Investigative actions
Check the file that was written to the disk for malicious activities.