SigmaHQ/rules/windows/process_creation/win_hktl_createminidump.yml

action: global
title: CreateMiniDump Hacktool
id: 36d88494-1d43-4dc0-b3fa-35c8fea0ca9d
description: Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine
author: Florian Roth
references:
    - https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass
date: 2019/12/22
tags:
    - attack.credential_access
    - attack.t1003.001
    - attack.t1003  # an old one
falsepositives:
    - Unknown
level: high
---
logsource:
    category: process_creation
    product: windows
detection:
    selection1:
        Image|contains: '\CreateMiniDump.exe'
    selection2:
        Imphash: '4a07f944a83e8a7c2525efa35dd30e2f'
    condition: 1 of them
---
logsource:
    product: windows
    category: file_event
detection:
    selection:
        EventID: 11
        TargetFilename|endswith: '\lsass.dmp'
    condition: 1 of them
rule: CreateMiniDump 2019-12-22 07:29:12 +00:00			`action: global`
			`title: CreateMiniDump Hacktool`
			`id: 36d88494-1d43-4dc0-b3fa-35c8fea0ca9d`
			`description: Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine`
			`author: Florian Roth`
			`references:`
			`- https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass`
			`date: 2019/12/22`
			`tags:`
			`- attack.credential_access`
Further subtechnique updates 2020-06-17 17:31:40 +00:00			`- attack.t1003.001`
att&ck tags review: windows/process_creation part 3 2020-09-01 17:02:36 +00:00			`- attack.t1003 # an old one`
rule: CreateMiniDump 2019-12-22 07:29:12 +00:00			`falsepositives:`
			`- Unknown`
			`level: high`
			`---`
			`logsource:`
			`category: process_creation`
			`product: windows`
			`detection:`
Fixes and improvements 2021-04-02 22:00:43 +00:00			`selection1:`
rule: CreateMiniDump 2019-12-22 07:29:12 +00:00			`Image\|contains: '\CreateMiniDump.exe'`
			`selection2:`
			`Imphash: '4a07f944a83e8a7c2525efa35dd30e2f'`
			`condition: 1 of them`
			`---`
			`logsource:`
			`product: windows`
- Cleaned up some more rules where 'service: sysmon' was combined with category - Replaced 'service: sysmon' with category: ... for some more events to make the rules more product independent modified: rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml modified: rules/windows/malware/mal_azorult_reg.yml modified: rules/windows/powershell/powershell_suspicious_profile_create.yml modified: rules/windows/process_creation/sysmon_cmstp_execution.yml modified: rules/windows/process_creation/win_apt_chafer_mar18.yml modified: rules/windows/process_creation/win_apt_unidentified_nov_18.yml modified: rules/windows/process_creation/win_hktl_createminidump.yml modified: rules/windows/process_creation/win_mal_adwind.yml modified: rules/windows/process_creation/win_silenttrinity_stage_use.yml 2020-10-02 08:45:29 +00:00			`category: file_event`
rule: CreateMiniDump 2019-12-22 07:29:12 +00:00			`detection:`
			`selection:`
			`EventID: 11`
Fixes and improvements 2021-04-02 22:00:43 +00:00			`TargetFilename\|endswith: '\lsass.dmp'`
rule: CreateMiniDump 2019-12-22 07:29:12 +00:00			`condition: 1 of them`