action: global
title: CreateMiniDump Hacktool
id: 36d88494-1d43-4dc0-b3fa-35c8fea0ca9d
description: Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine
author: Florian Roth
references:
    - https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass
date: 2019/12/22
tags:
    - attack.credential_access
    - attack.t1003.001
    - attack.t1003  # an old one
falsepositives:
    - Unknown
level: high
---
logsource:
    category: process_creation
    product: windows
detection:
    selection1:
        Image|contains: '\CreateMiniDump.exe'
    selection2:
        Imphash: '4a07f944a83e8a7c2525efa35dd30e2f'
    condition: 1 of them
---
logsource:
    product: windows
    category: file_event
detection:
    selection:
        EventID: 11
        TargetFilename|endswith: '\lsass.dmp'
    condition: 1 of them