title: Dumping Lsass.exe Memory with MiniDumpWriteDump API id: dd5ab153-beaa-4315-9647-65abc5f71541 status: experimental description: Detects the use of MiniDumpWriteDump API for dumping lsass.exe memory in a stealth way. Tools like ProcessHacker and some attacker tradecract use this API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine. date: 27/10/2019 modified: 2019/11/13 author: Perez Diego (@darkquassar), oscd.community references: - https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump - https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html - https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6 tags: - attack.credential_access - attack.t1003 logsource: product: windows service: sysmon detection: signedprocess: EventID: 7 ImageLoaded|endswith: - '\dbghelp.dll' - '\dbgcore.dll' Image|endswith: - '\msbuild.exe' - '\cmd.exe' - '\svchost.exe' - '\rundll32.exe' - '\powershell.exe' - '\word.exe' - '\excel.exe' - '\powerpnt.exe' - '\outlook.exe' - '\monitoringhost.exe' - '\wmic.exe' - '\msiexec.exe' - '\bash.exe' - '\wscript.exe' - '\cscript.exe' - '\mshta.exe' - '\regsvr32.exe' - '\schtasks.exe' - '\dnx.exe' - '\regsvcs.exe' - '\sc.exe' - '\scriptrunner.exe' unsignedprocess: EventID: 7 ImageLoaded|endswith: - '\dbghelp.dll' - '\dbgcore.dll' Signed: "FALSE" filter: Image|contains: 'Visual Studio' condition: (signedprocess AND NOT filter) OR (unsignedprocess AND NOT filter) fields: - ComputerName - User - Image - ImageLoaded falsepositives: - Penetration tests level: critical