title: LSASS Memory Dumping
id: ffa6861c-4461-4f59-8a41-578c39f3f23e
description: Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials. Identifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials.
status: experimental
author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community
date: 2019/10/24
modified: 2019/11/11
references:
    - https://eqllib.readthedocs.io/en/latest/analytics/1e1ef6be-12fc-11e9-8d76-4d6bb837cda4.html
    - https://eqllib.readthedocs.io/en/latest/analytics/210b4ea4-12fc-11e9-8d76-4d6bb837cda4.html
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.yaml
tags:
    - attack.credential_access
    - attack.t1003
    - attack.t1003.001
logsource:
    category: process_creation
    product: windows
detection:
    selection1:
        CommandLine|contains|all:
            - 'lsass'
            - '.dmp'
    selection2:
        Image|endswith: '\werfault.exe'
    selection3:
        Image|contains: '\procdump'
        Image|endswith: '.exe'
        CommandLine|contains: 'lsass'
    condition: selection1 and not selection2 or selection3
fields:
    - ComputerName
    - User
    - CommandLine
falsepositives:
    - Unlikely
level: high