LSASS Process Memory Dump Files
Detects creation of files with names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials.
Sigma rule (View on GitHub)
1title: LSASS Process Memory Dump Files
2id: a5a2d357-1ab8-4675-a967-ef9990a59391
3related:
4 - id: db2110f3-479d-42a6-94fb-d35bc1e46492
5 type: obsolete
6 - id: 5e3d3601-0662-4af0-b1d2-36a05e90c40a
7 type: obsolete
8status: test
9description: Detects creation of files with names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials.
10references:
11 - https://www.google.com/search?q=procdump+lsass
12 - https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf
13 - https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml
14 - https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/
15 - https://github.com/helpsystems/nanodump
16 - https://github.com/CCob/MirrorDump
17 - https://github.com/safedv/RustiveDump/blob/1a9b026b477587becfb62df9677cede619d42030/src/main.rs#L35
18 - https://github.com/ricardojoserf/NativeDump/blob/01d8cd17f31f51f5955a38e85cd3c83a17596175/NativeDump/Program.cs#L258
19author: Florian Roth (Nextron Systems)
20date: 2021-11-15
21modified: 2024-10-08
22tags:
23 - attack.credential-access
24 - attack.t1003.001
25logsource:
26 product: windows
27 category: file_event
28detection:
29 selection_1:
30 TargetFilename|endswith:
31 - '\Andrew.dmp'
32 - '\Coredump.dmp'
33 - '\lsass.dmp'
34 - '\lsass.rar'
35 - '\lsass.zip'
36 - '\NotLSASS.zip' # https://github.com/CCob/MirrorDump
37 - '\PPLBlade.dmp' # https://github.com/tastypepperoni/PPLBlade
38 - '\rustive.dmp' # https://github.com/safedv/RustiveDump/blob/main/src/main.rs#L35
39 selection_2:
40 TargetFilename|contains:
41 - '\lsass_2' # default format of procdump v9.0 is lsass_YYMMDD_HHmmss.dmp
42 - '\lsassdmp'
43 - '\lsassdump'
44 selection_3:
45 TargetFilename|contains|all:
46 - '\lsass'
47 - '.dmp'
48 selection_4:
49 TargetFilename|contains: 'SQLDmpr'
50 TargetFilename|endswith: '.mdmp'
51 selection_5:
52 TargetFilename|contains:
53 - '\nanodump'
54 - '\proc_' # NativeDump pattern https://github.com/ricardojoserf/NativeDump/blob/01d8cd17f31f51f5955a38e85cd3c83a17596175/NativeDump/Program.cs#L258
55 TargetFilename|endswith: '.dmp'
56 condition: 1 of selection_*
57falsepositives:
58 - Unknown
59level: high
References
-
-
As always this is for educational purposes. I like to find multiple ways to do the same thing. It helps me learn and writing about it help…
Read More -
-
Cyber Advisors provides customizable cybersecurity solutions & services. We help deliver, implement, manage, monitor, test defenses, & strengthen systems.
Read More -
The swiss army knife of LSASS dumping. Contribute to fortra/nanodump development by creating an account on GitHub.
Read More -
Another LSASS dumping tool that uses a dynamically compiled LSA plugin to grab an lsass handle and API hooking for capturing the dump in memory - CCob/MirrorDump
Read More -
LSASS memory dumper using only NTAPIs, creating a minimal minidump. It can be compiled as shellcode (PIC), supports XOR encryption, and remote file transmission. - safedv/RustiveDump
Read More -
Dump lsass using only NTAPI functions by hand-crafting Minidump files (without MiniDumpWriteDump!!!) - ricardojoserf/NativeDump
Read More
Related rules
- HackTool - Generic Process Access
- Potentially Suspicious GrantedAccess Flags On LSASS
- LSASS Process Memory Dump Creation Via Taskmgr.EXE
- Process Memory Dump via RdrLeakDiag.EXE
- APT31 Judgement Panda Activity