LSASS Process Memory Dump Files
Detects creation of files with names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials.
Sigma rule (View on GitHub)
1title: LSASS Process Memory Dump Files
2id: a5a2d357-1ab8-4675-a967-ef9990a59391
3related:
4 - id: db2110f3-479d-42a6-94fb-d35bc1e46492
5 type: obsoletes
6 - id: 5e3d3601-0662-4af0-b1d2-36a05e90c40a
7 type: obsoletes
8status: experimental
9description: Detects creation of files with names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials.
10references:
11 - https://www.google.com/search?q=procdump+lsass
12 - https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf
13 - https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml
14 - https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/
15 - https://github.com/helpsystems/nanodump
16 - https://github.com/CCob/MirrorDump
17author: Florian Roth (Nextron Systems)
18date: 2021/11/15
19modified: 2023/09/05
20tags:
21 - attack.credential_access
22 - attack.t1003.001
23logsource:
24 product: windows
25 category: file_event
26detection:
27 selection_1:
28 TargetFilename|endswith:
29 - '\lsass.dmp'
30 - '\lsass.zip'
31 - '\lsass.rar'
32 - '\Andrew.dmp'
33 - '\Coredump.dmp'
34 - '\NotLSASS.zip' # https://github.com/CCob/MirrorDump
35 - '\PPLBlade.dmp' # https://github.com/tastypepperoni/PPLBlade
36 selection_2:
37 TargetFilename|contains:
38 - '\lsass_2' # default format of procdump v9.0 is lsass_YYMMDD_HHmmss.dmp
39 - '\lsassdump'
40 - '\lsassdmp'
41 selection_3:
42 TargetFilename|contains|all:
43 - '\lsass'
44 - '.dmp'
45 selection_4:
46 TargetFilename|contains: 'SQLDmpr'
47 TargetFilename|endswith: '.mdmp'
48 selection_5:
49 TargetFilename|startswith: 'nanodump'
50 TargetFilename|endswith: '.dmp'
51 condition: 1 of selection_*
52falsepositives:
53 - Unknown
54level: high
References
Related rules
- LSASS Dump Keyword In CommandLine
- Potential Credential Dumping Via LSASS Process Clone
- Lsass Full Dump Request Via DumpType Registry Settings
- Cred Dump Tools Dropped Files
- Credential Dumping Tools Service Execution