2019-10-28 10:59:49 +00:00
title : LSASS Memory Dumping
2019-12-19 22:56:36 +00:00
id : ffa6861c-4461-4f59-8a41-578c39f3f23e
2020-06-16 20:46:08 +00:00
description : Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials. Identifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials.
2019-10-28 10:59:49 +00:00
status : experimental
2019-11-11 18:46:54 +00:00
author : E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community
2019-10-28 10:59:49 +00:00
date : 2019 /10/24
2019-11-11 18:46:54 +00:00
modified : 2019 /11/11
references :
- https://eqllib.readthedocs.io/en/latest/analytics/1e1ef6be-12fc-11e9-8d76-4d6bb837cda4.html
- https://eqllib.readthedocs.io/en/latest/analytics/210b4ea4-12fc-11e9-8d76-4d6bb837cda4.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.yaml
2019-10-28 10:59:49 +00:00
tags :
- attack.credential_access
- attack.t1003
2020-06-16 20:46:08 +00:00
- attack.t1003.001
2020-01-10 23:11:27 +00:00
logsource :
category : process_creation
product : windows
2019-10-28 10:59:49 +00:00
detection :
selection1 :
2019-11-11 18:46:54 +00:00
CommandLine|contains|all :
- 'lsass'
- '.dmp'
2019-10-28 10:59:49 +00:00
selection2 :
2019-11-11 18:46:54 +00:00
Image|endswith : '\werfault.exe'
2019-10-28 10:59:49 +00:00
selection3 :
2019-11-11 18:46:54 +00:00
Image|contains : '\procdump'
Image|endswith : '.exe'
CommandLine|contains : 'lsass'
condition : selection1 and not selection2 or selection3
2020-01-10 23:11:27 +00:00
fields :
- ComputerName
- User
- CommandLine
2019-10-28 10:59:49 +00:00
falsepositives :
2019-11-11 18:46:54 +00:00
- Unlikely
2019-10-28 10:59:49 +00:00
level : high
