LSASS Process Dump Artefact In CrashDumps Folder
Detects the presence of an LSASS dump file in the "CrashDumps" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Error Reporting to dump said process.
Sigma rule (View on GitHub)
1title: LSASS Process Dump Artefact In CrashDumps Folder
2id: 6902955a-01b7-432c-b32a-6f5f81d8f625
3status: test
4description: Detects the presence of an LSASS dump file in the "CrashDumps" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Error Reporting to dump said process.
5references:
6 - https://github.com/deepinstinct/Lsass-Shtinkering
7 - https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf
8author: '@pbssubhash'
9date: 2022-12-08
10tags:
11 - attack.credential-access
12 - attack.t1003.001
13logsource:
14 product: windows
15 category: file_event
16detection:
17 selection:
18 TargetFilename|startswith: 'C:\Windows\System32\config\systemprofile\AppData\Local\CrashDumps\'
19 TargetFilename|contains: 'lsass.exe.'
20 TargetFilename|endswith: '.dmp'
21 condition: selection
22falsepositives:
23 - Rare legitimate dump of the process by the operating system due to a crash of lsass
24level: high
References
Related rules
- APT31 Judgement Panda Activity
- Antivirus Password Dumper Detection
- Cred Dump Tools Dropped Files
- Credential Dumping Activity By Python Based Tool
- Credential Dumping Attempt Via WerFault