SigmaHQ/rules/windows/process_creation/win_lsass_dump.yml

29 lines
884 B
YAML
Raw Normal View History

2019-10-28 10:59:49 +00:00
title: LSASS Memory Dumping
description: Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials. Identifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials.
status: experimental
author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert)
date: 2019/10/24
tags:
- attack.credential_access
- attack.t1003
detection:
selection1:
CommandLine:
- '* lsass*.dmp*'
selection2:
Image:
- '*werfault.exe'
selection3:
Image:
- '*procdump*.exe'
selection4:
CommandLine:
- '* lsass*'
condition: selection1 and not selection2 or selection3 and selection4
falsepositives:
- unlike
level: high
logsource:
category: process_creation
product: windows