LSASS Process Memory Dump Files

 1title: LSASS Process Memory Dump Files
 2id: a5a2d357-1ab8-4675-a967-ef9990a59391
 3related:
 4    - id: db2110f3-479d-42a6-94fb-d35bc1e46492
 5      type: obsoletes
 6    - id: 5e3d3601-0662-4af0-b1d2-36a05e90c40a
 7      type: obsoletes
 8status: experimental
 9description: Detects creation of files with names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials.
10references:
11    - https://www.google.com/search?q=procdump+lsass
12    - https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf
13    - https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml
14    - https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/
15    - https://github.com/helpsystems/nanodump
16    - https://github.com/CCob/MirrorDump
17author: Florian Roth (Nextron Systems)
18date: 2021/11/15
19modified: 2023/09/05
20tags:
21    - attack.credential_access
22    - attack.t1003.001
23logsource:
24    product: windows
25    category: file_event
26detection:
27    selection_1:
28        TargetFilename|endswith:
29            - '\lsass.dmp'
30            - '\lsass.zip'
31            - '\lsass.rar'
32            - '\Andrew.dmp'
33            - '\Coredump.dmp'
34            - '\NotLSASS.zip'  # https://github.com/CCob/MirrorDump
35            - '\PPLBlade.dmp'  # https://github.com/tastypepperoni/PPLBlade
36    selection_2:
37        TargetFilename|contains:
38            - '\lsass_2'  # default format of procdump v9.0 is lsass_YYMMDD_HHmmss.dmp
39            - '\lsassdump'
40            - '\lsassdmp'
41    selection_3:
42        TargetFilename|contains|all:
43            - '\lsass'
44            - '.dmp'
45    selection_4:
46        TargetFilename|contains: 'SQLDmpr'
47        TargetFilename|endswith: '.mdmp'
48    selection_5:
49        TargetFilename|startswith: 'nanodump'
50        TargetFilename|endswith: '.dmp'
51    condition: 1 of selection_*
52falsepositives:
53    - Unknown
54level: high

References

• procdump lsass - Google Search

  0 votes Crash Timeline: foobar.exe > WerFault.exe > procdump.exe. > lsass.exe Normally, the kernel's memory dumps are done by WerFault.exe as the SYSTEM account, ...  More

  
  Read More

• Some ways to dump LSASS.exe

  

  As always this is for educational purposes. I like to find multiple ways to do the same thing. It helps me learn and writing about it help…

  
  Read More

• detection-rules/rules/windows/credential_access_lsass_memdump_file_created.toml at c76a39796972ecde44cb1da6df47f1b6562c9770 · elastic/detection-rules

  

  Contribute to elastic/detection-rules development by creating an account on GitHub.

  
  Read More

• Attacks & Defenses: Dumping LSASS With No Mimikatz

  

  Talis from White Oak Security demonstrates the tools & the how to guide on both attacks and defenses regarding dumping LSASS without Mimikatz. Read more here.

  
  Read More

• GitHub - fortra/nanodump: The swiss army knife of LSASS dumping

  

  The swiss army knife of LSASS dumping. Contribute to fortra/nanodump development by creating an account on GitHub.

  
  Read More

• GitHub - CCob/MirrorDump: Another LSASS dumping tool that uses a dynamically compiled LSA plugin to grab an lsass handle and API hooking for capturing the dump in memory

  

  Another LSASS dumping tool that uses a dynamically compiled LSA plugin to grab an lsass handle and API hooking for capturing the dump in memory - CCob/MirrorDump

  
  Read More

Related rules

• Potential Credential Dumping Via LSASS Process Clone
• Lsass Full Dump Request Via DumpType Registry Settings
• Credential Dumping Tools Service Execution - Security
• HackTool - Credential Dumping Tools Named Pipe Created
• APT31 Judgement Panda Activity