Rules Contributing to Suspicious Handle Request to Sensitive Object Alerts

The following rules are used to identify suspicious activity with Handle Requests to Sensitive Objects. Any one or more of these will trigger a Suspicious Handle Request to Sensitive Object Alert. Details for each rule can be viewed by clicking the More Details link in the description.

Title

Description

Password Dumper Activity on LSASS

Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN

SAM Registry Hive Handle Request

Detects handles requested to SAM registry hive