LSASS Process Dump Artefact In CrashDumps Folder

calendar Oct 17, 2023 · attack.credential_access attack.t1003.001  ·
Share on: linkedin copy

Detects the presence of an LSASS dump file in the "CrashDumps" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Error Reporting to dump said process.

Sigma rule (View on GitHub)

 1title: LSASS Process Dump Artefact In CrashDumps Folder
 2id: 6902955a-01b7-432c-b32a-6f5f81d8f625
 3status: test
 4description: Detects the presence of an LSASS dump file in the "CrashDumps" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Error Reporting to dump said process.
 5references:
 6    - https://github.com/deepinstinct/Lsass-Shtinkering
 7    - https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf
 8author: '@pbssubhash'
 9date: 2022/12/08
10tags:
11    - attack.credential_access
12    - attack.t1003.001
13logsource:
14    product: windows
15    category: file_event
16detection:
17    selection:
18        TargetFilename|startswith: 'C:\Windows\System32\config\systemprofile\AppData\Local\CrashDumps\'
19        TargetFilename|contains: 'lsass.exe.'
20        TargetFilename|endswith: '.dmp'
21    condition: selection
22falsepositives:
23    - Rare legitimate dump of the process by the operating system due to a crash of lsass
24level: high

References

  • GitHub - deepinstinct/Lsass-Shtinkering

    Contribute to deepinstinct/Lsass-Shtinkering development by creating an account on GitHub.


    Read More

  • ×¼®Ý´INN6Í<½üÒ³fäyNJ¶ìE.Ó$ææ78ÜtôDFU½ƒddþÆà:*:0kvàÌ|·±ãy"ÖU•bØ€ÉÃþ&{‚ŠÆM#¹ö#0Õötwƒ'ªÕee¥¥ù%%Ú(*†˜SXAxBÞœ9¹yy÷Â6¨YÔ´ãdÏïϽµõÄ©ª…‹ŒýuôÜwßœûígO^¹Ô¸aCå’%š…�óêê!ʪª J5pù¬�ÒRˆÈŠ1ÅÅ...


    Read More

Related rules

to-top