Posts tagged "{tag}": #credential-theft

Detecting code injection and credential theft with Sysmon — CreateRemoteThread (8) and ProcessAccess (10), reading GrantedAccess masks against lsass.exe, and using the call trace to find unsigned modules.