PowerShell MiniDump Script

  1[metadata]
  2creation_date = "2021/10/05"
  3integration = ["windows"]
  4maturity = "production"
  5updated_date = "2026/04/27"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects PowerShell scripts referencing MiniDumpWriteDump or full-memory minidump types, which can capture
 11process memory. Attackers use this technique to dump credential-bearing processes like LSASS for credential theft and
 12lateral movement.
 13"""
 14false_positives = [
 15    "Bounded troubleshooting, IR, lab-validation, or red-team activity where the reconstructed target/output, launch context, and artifact/authentication evidence align.",
 16]
 17from = "now-9m"
 18index = ["logs-windows.powershell*", "winlogbeat-*"]
 19language = "kuery"
 20license = "Elastic License v2"
 21name = "PowerShell MiniDump Script"
 22references = [
 23    "https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Out-Minidump.ps1",
 24    "https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Get-ProcessMiniDump.ps1",
 25    "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md",
 26]
 27risk_score = 73
 28rule_id = "577ec21e-56fe-4065-91d8-45eb8224fe77"
 29severity = "high"
 30tags = [
 31    "Domain: Endpoint",
 32    "OS: Windows",
 33    "Use Case: Threat Detection",
 34    "Tactic: Credential Access",
 35    "Resources: Investigation Guide",
 36    "Data Source: PowerShell Logs",
 37]
 38timestamp_override = "event.ingested"
 39type = "query"
 40
 41query = '''
 42event.category:process and host.os.type:windows and
 43powershell.file.script_block_text:(MiniDumpWriteDump or MiniDumpWithFullMemory or pmuDetirWpmuDiniM)
 44'''
 45
 46note = """## Triage and analysis
 47
 48### Investigating PowerShell MiniDump Script
 49#### Possible investigation steps
 50
 51- What does the reconstructed script block prove about minidump intent?
 52  - Focus: Reconstruct `powershell.file.script_block_text` with `powershell.file.script_block_id`, `powershell.sequence`, `powershell.total`, and `host.id`; determine whether code only defines dump capability, selects a target, or invokes a full-memory dump with an output path.
 53  - Hint: recover fragments, order by `powershell.sequence`, then interpret the full text. $investigate_2
 54  - Implication: escalate when reconstruction shows LSASS or another credential-bearing target, all-process dumping, full-memory flags, explicit PID/output path, archive/base64 handling, or cleanup; lower concern only for confirmed examples or comments with no target, output, or execution path.
 55
 56- If endpoint process telemetry is available, how was the PowerShell instance launched?
 57  - Focus: Recover the matching process via `host.id + process.pid` before interpreting `process.*` or `process.parent.*`; review recovered `process.command_line`, `process.parent.executable`, `process.parent.command_line`, and `process.Ext.token.integrity_level_name`. $investigate_3
 58  - Hint: record `process.entity_id` for file scoping and `process.Ext.authentication_id` for authentication bridging. If no process start event appears after time expansion, keep later pivots bounded to `host.id`, `user.id`, `process.pid`, and alert time.
 59  - Implication: escalate when launch came from a browser, document, chat client, remote tool, scheduled task, user-writable script path, or unexplained elevated context; lower concern when the launch chain matches the same recognized troubleshooting, IR, lab-validation, or red-team workflow as the script content.
 60
 61- Did the script or recovered process leave dump output or staging evidence?
 62  - Focus: reconstructed `powershell.file.script_block_text` for operator-controlled dump paths, default "<process>_<pid>.dmp" names, full-dump flags, archive/base64 staging, or delete-after-write logic.
 63  - Hint: scope file events to `host.id`, `process.pid`, and the alert window with `file.path` and `file.name`. $investigate_4
 64  - Implication: confirm dumping when a ".dmp", renamed dump, archive, or cleanup path matches the script or recovered process. Missing endpoint file telemetry is unresolved, not benign.
 65
 66- If a process session is recovered, does authentication evidence show credential use after dumping?
 67  - Focus: Use same-host/user Windows Security events for `event.code` 4624, 4625, or 4648; review `source.ip` and `winlog.event_data.AuthenticationPackageName` where present. $investigate_5
 68  - Hint: Bridge `process.Ext.authentication_id` to same-host `winlog.event_data.TargetLogonId`; search backward from process `@timestamp` because session-creating 4624 can predate the script. Search `event.code` 4648 separately on `winlog.event_data.SubjectLogonId` for explicit-credential use.
 69  - Implication: escalate when new remote logons, unexpected NTLM or Kerberos activity, explicit-credential use, or privileged session creation follows the dump window. Missing authentication telemetry is unresolved, not benign.
 70
 71- If local evidence remains suspicious or unresolved, does related activity widen the user or host scope?
 72  - Focus: related alerts for `user.id` covering credential access, LSASS access, dump-file creation, or lateral movement. $investigate_0
 73  - Hint: compare `host.id` related alerts for the same behavior families, including non-PowerShell LSASS access or dump-file creation that confirms adjacent credential-dumping variants. $investigate_1
 74  - Implication: broaden containment or scoping when related alerts show adjacent credential-dumping or post-compromise behavior by the same user or host; keep local when related alerts are quiet and local evidence resolves to one recognized workflow. Recurrence alone does not close unresolved telemetry.
 75
 76- Escalate when script intent, launch, artifacts, authentication follow-on, or related-alert scope points to unauthorized memory dumping; close only when all evidence fits one bounded troubleshooting, IR, lab-validation, or red-team activity; preserve and escalate when evidence is mixed or incomplete.
 77
 78### False positive analysis
 79
 80- Recognized troubleshooting, IR, lab-validation, or red-team activity can use minidump code. Confirm that reconstructed `powershell.file.script_block_text`, target or PID, output path, `user.id`, `host.id`, alert source path, recovered launch chain if available, and dump/authentication evidence align with the same bounded activity. If workflow records are unavailable, recurrence must show the same target/output, user/host cohort, and launch pattern without contradictory dump or authentication activity. LSASS targeting, cleanup, archive/base64 handling, post-alert authentication outside that activity, or unresolved script/process/auth evidence prevents benign closure.
 81- Build exceptions from the minimum confirmed pattern: `user.id`, `host.id`, alert source path, reconstructed target/output pattern, and recovered launcher identity if available. Avoid exceptions on minidump strings, `user.name`, or host alone.
 82
 83### Response and remediation
 84
 85- If confirmed benign, reverse temporary containment and document the exact workflow evidence: reconstructed script content, target process, output path, source path, `user.id`, `host.id`, and recovered launch context if available. Create an exception only after the same pattern is proven stable across prior alerts.
 86- If suspicious but unconfirmed, preserve the alert, reconstructed script fragments, recovered process details, dump paths, dump or archive artifacts, and linked `winlog.event_data.TargetLogonId`, `winlog.event_data.SubjectLogonId`, or `source.ip` evidence before containment. Apply reversible containment tied to the findings, such as restricting the affected account, collecting the dump artifact, or isolating the host when active dumping or credential use may continue.
 87- If confirmed malicious, preserve the evidence set before terminating processes or deleting files, then contain the host or account according to host criticality and credential-use evidence. Rotate or reset exposed credentials when LSASS, another credential-bearing process, confirmed dump artifacts, or post-dump authentication are present.
 88- Eradicate only the unauthorized scripts, dump files, archives, and persistence or delivery artifacts identified during the investigation. Review related `user.id` and `host.id` alerts for the same script fragments or dump paths before declaring scope closed.
 89- Document any missing process, file, or Windows Security telemetry that limited the investigation so responders know which conclusions were evidence-backed and which remained unresolved.
 90"""
 91
 92setup = """## Setup
 93
 94PowerShell Script Block Logging must be enabled to generate the events used by this rule (e.g., 4104).
 95Setup instructions: https://ela.st/powershell-logging-setup
 96"""
 97
 98[rule.investigation_fields]
 99field_names = [
100    "@timestamp",
101    "user.name",
102    "user.id",
103    "user.domain",
104    "powershell.file.script_block_text",
105    "powershell.file.script_block_id",
106    "powershell.sequence",
107    "powershell.total",
108    "file.path",
109    "file.directory",
110    "file.name",
111    "process.pid",
112    "host.name",
113    "host.id",
114    "powershell.file.script_block_length"
115]
116
117[transform]
118
119[[transform.investigate]]
120label = "Alerts associated with the user"
121description = ""
122providers = [
123  [
124    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
125    { excluded = false, field = "user.id", queryType = "phrase", value = "{{user.id}}", valueType = "string" }
126  ]
127]
128relativeFrom = "now-48h/h"
129relativeTo = "now"
130
131[[transform.investigate]]
132label = "Alerts associated with the host"
133description = ""
134providers = [
135  [
136    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
137    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" }
138  ]
139]
140relativeFrom = "now-48h/h"
141relativeTo = "now"
142
143[[transform.investigate]]
144label = "All PowerShell 4104 fragments for this script on this host"
145description = ""
146providers = [
147  [
148    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
149    { excluded = false, field = "powershell.file.script_block_id", queryType = "phrase", value = "{{powershell.file.script_block_id}}", valueType = "string" },
150    { excluded = false, field = "event.code", queryType = "phrase", value = "4104", valueType = "string" }
151  ]
152]
153relativeFrom = "now-1h"
154relativeTo = "now"
155
156[[transform.investigate]]
157label = "Process events for the PowerShell instance"
158description = ""
159providers = [
160  [
161    { excluded = false, field = "process.pid", queryType = "phrase", value = "{{process.pid}}", valueType = "string" },
162    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
163    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" }
164  ]
165]
166relativeFrom = "now-1h"
167relativeTo = "now"
168
169[[transform.investigate]]
170label = "File events for the PowerShell process"
171description = ""
172providers = [
173  [
174    { excluded = false, field = "process.pid", queryType = "phrase", value = "{{process.pid}}", valueType = "string" },
175    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
176    { excluded = false, field = "event.category", queryType = "phrase", value = "file", valueType = "string" }
177  ]
178]
179relativeFrom = "now-1h"
180relativeTo = "now"
181
182[[transform.investigate]]
183label = "Windows Security authentication events for the user"
184description = ""
185providers = [
186  [
187    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
188    { excluded = false, field = "user.id", queryType = "phrase", value = "{{user.id}}", valueType = "string" },
189    { excluded = false, field = "event.code", queryType = "phrase", value = "4624", valueType = "string" }
190  ],
191  [
192    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
193    { excluded = false, field = "user.id", queryType = "phrase", value = "{{user.id}}", valueType = "string" },
194    { excluded = false, field = "event.code", queryType = "phrase", value = "4625", valueType = "string" }
195  ],
196  [
197    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
198    { excluded = false, field = "user.id", queryType = "phrase", value = "{{user.id}}", valueType = "string" },
199    { excluded = false, field = "event.code", queryType = "phrase", value = "4648", valueType = "string" }
200  ]
201]
202relativeFrom = "now-24h"
203relativeTo = "now"
204
205[[rule.threat]]
206framework = "MITRE ATT&CK"
207[[rule.threat.technique]]
208id = "T1003"
209name = "OS Credential Dumping"
210reference = "https://attack.mitre.org/techniques/T1003/"
211[[rule.threat.technique.subtechnique]]
212id = "T1003.001"
213name = "LSASS Memory"
214reference = "https://attack.mitre.org/techniques/T1003/001/"
215
216[rule.threat.tactic]
217id = "TA0006"
218name = "Credential Access"
219reference = "https://attack.mitre.org/tactics/TA0006/"
220
221[[rule.threat]]
222framework = "MITRE ATT&CK"
223[[rule.threat.technique]]
224id = "T1059"
225name = "Command and Scripting Interpreter"
226reference = "https://attack.mitre.org/techniques/T1059/"
227[[rule.threat.technique.subtechnique]]
228id = "T1059.001"
229name = "PowerShell"
230reference = "https://attack.mitre.org/techniques/T1059/001/"
231
232[rule.threat.tactic]
233id = "TA0002"
234name = "Execution"
235reference = "https://attack.mitre.org/tactics/TA0002/"