Rundll32 Dumping Credentials with MiniDump Function (RedCanary Threat Detection Report)
Detects processes that seem to be rundll32.exe along with a command line containing the term MiniDump. Part of the RedCanary 2023 Threat Detection Report.
Sigma rule (View on GitHub)
1title: Rundll32 Dumping Credentials with MiniDump Function (RedCanary Threat Detection Report)
2id: b1bab1c9-9dc4-499e-aa9e-5c1b707c21e1
3status: experimental
4description: Detects processes that seem to be rundll32.exe along with a command line containing the term MiniDump. Part of the RedCanary 2023 Threat Detection Report.
5references:
6 - https://redcanary.com/threat-detection-report/techniques/lsass-memory/
7author: RedCanary, Sigma formatting by Micah Babinski
8date: 2023/05/10
9tags:
10 - attack.credential_access
11 - attack.t1003.001
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection:
17 Image|endswith: '\rundll32.exe'
18 CommandLine|contains: 'MiniDump'
19 condition: selection
20falsepositives:
21 - Unknown
22level: low```
References
-
Because of the amount of data it stores in memory, LSASS is a common target for adversaries looking to steal sensitive credentials.
Read More
Related rules
- Abnormal LSASS Child and Parent Process Relationships (RedCanary Threat Detection Report)
- Abnormal LSASS Process Access and Injection (RedCanary Threat Detection Report)
- LSASS Running Under Non-Privileged User Context (RedCanary Threat Detection Report)
- Mimikatz Command Line With Ticket Export
- Abnormal LSASS Child and Parent Process Relationships