Detection rules › By event

Microsoft-Windows-Sysmon Event ID 10

59 detection rules reference this event. View event page.

Sigma (30)

CMSTP Execution Process Access severity high T1218, T1218.003, T1559, T1559.001
Credential Dumping Activity By Python Based Tool severity high T1003, T1003.001
Credential Dumping Attempt Via Svchost severity high T1548
Credential Dumping Attempt Via WerFault severity high T1003, T1003.001
Function Call From Undocumented COM Interface EditionUpgradeManager severity medium T1548, T1548.002
HackTool - CobaltStrike BOF Injection Pattern severity high T1106, T1685
HackTool - Generic Process Access severity high T1003, T1003.001
HackTool - HandleKatz Duplicating LSASS Handle severity high T1003, T1003.001, T1106
HackTool - LittleCorporal Generated Maldoc Injection severity high T1055, T1055.003, T1204, T1204.002
HackTool - SysmonEnte Execution severity high T1685, T1685.001
LSASS Access From Potentially White-Listed Processes severity high T1003, T1003.001
LSASS Access From Program In Potentially Suspicious Folder severity medium T1003, T1003.001
LSASS dump via process access severity high T1003, T1003.001
LSASS Memory Access by Tool With Dump Keyword In Name severity high T1003, T1003.001
Lsass Memory Dump via Comsvcs DLL severity high T1003, T1003.001
Malware Shellcode in Verclsid Target Process severity high T1055
Potential Credential Dumping Activity Via LSASS severity medium T1003, T1003.001
Potential Credential Dumping Attempt Via PowerShell severity medium T1003, T1003.001
Potential Direct Syscall of NtOpenProcess severity medium T1106
Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Process Access severity high T1105, T1218
Potential Shellcode Injection severity medium T1055
Potentially Suspicious GrantedAccess Flags On LSASS severity medium T1003, T1003.001
Remote LSASS Process Access Through Windows Remote Management severity high T1003, T1003.001, T1021, T1021.006, T1059, T1059.001
Suspicious LSASS Access Via MalSecLogon severity high T1003, T1003.001
Suspicious Process Access of MsMpEng by WerFaultSecure - EDR-Freeze severity high T1685
Suspicious Process Access to LSASS with Dbgcore/Dbghelp DLLs severity high T1003, T1003.001, T1685
Suspicious Svchost Process Access severity high T1685, T1685.001
UAC Bypass Using WOW64 Logger DLL Hijack severity high T1548, T1548.002
Uncommon GrantedAccess Flags On LSASS severity medium T1003, T1003.001
Uncommon Process Access Rights For Target Image severity low T1055, T1055.011

Elastic (7)

Potential Credential Access via DuplicateHandle in LSASS severity medium T1003, T1003.001
Potential Credential Access via LSASS Memory Dump severity high T1003, T1003.001, T1106
Potential LSASS Memory Dump via PssCaptureSnapShot severity high T1003, T1003.001
Suspicious LSASS Access via MalSecLogon severity high T1003, T1003.001
Suspicious Lsass Process Access severity medium T1003, T1003.001
Suspicious Process Access via Direct System Call severity high T1055, T1106
Suspicious Process Creation CallTrace severity medium T1055, T1055.012

Splunk (15)

Access LSASS Memory for Dump Creation severity medium T1003, T1003.001
Detect Credential Dumping through LSASS access severity medium T1003, T1003.001
Mimikatz (Sysmon) T1003, T1003.001, T1003.002, T1003.004, T1003.006, T1552
Rubeus Kerberos Ticket Exports Through Winlogon Access severity medium T1550, T1550.003
Spoolsv Suspicious Process Access severity medium T1068
Windows Access Token Manipulation Winlogon Duplicate Token Handle T1134, T1134.001
Windows Access Token Winlogon Duplicate Handle In Uncommon Path severity low T1134, T1134.001
Windows Handle Duplication in Known UAC-Bypass Binaries severity low T1134, T1134.001
Windows Hunting System Account Targeting Lsass T1003, T1003.001
Windows Non-System Account Targeting Lsass severity medium T1003, T1003.001
Windows Possible Credential Dumping severity medium T1003, T1003.001
Windows Process Injection into Commonly Abused Processes severity low T1055, T1055.002
Windows Process Injection into Notepad severity low T1055, T1055.002
Windows Terminating Lsass Process severity low T1685
Windows WMI Impersonate Token severity low T1047

Kusto (2)

Dumping LSASS Process Into a File severity high T1003, T1003.001
LSASS Dumping using Debug Privileges T1003, T1003.001, T1106

YARA-L (5)

Credential Dumping Attempt Via WerFault severity high T1003, T1003.001
HackTool - Generic Process Access severity high T1003, T1003.001
LSASS Memory Access by Tool With Dump Keyword In Name severity high T1003, T1003.001
Lsass Memory Dump via Comsvcs DLL severity high T1003, T1003.001
Potential Credential Dumping Activity Via LSASS severity medium T1003, T1003.001

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Microsoft-Windows-Sysmon Event ID 10

Sigma (30)

Elastic (7)

Splunk (15)

Kusto (2)

YARA-L (5)

Keyboard shortcuts

Search operators