WerFault LSASS Process Memory Dump

Aug 12, 2024 · attack.credential-access attack.t1003.001 ·

Detects WerFault creating a dump file with a name that indicates that the dump file could be an LSASS process memory, which contains user credentials

Sigma rule (View on GitHub)

 1title: WerFault LSASS Process Memory Dump
 2id: c3e76af5-4ce0-4a14-9c9a-25ceb8fda182
 3status: test
 4description: Detects WerFault creating a dump file with a name that indicates that the dump file could be an LSASS process memory, which contains user credentials
 5references:
 6    - https://github.com/helpsystems/nanodump
 7author: Florian Roth (Nextron Systems)
 8date: 2022-06-27
 9tags:
10    - attack.credential-access
11    - attack.t1003.001
12logsource:
13    product: windows
14    category: file_event
15detection:
16    selection:
17        Image: C:\WINDOWS\system32\WerFault.exe
18        TargetFilename|contains:
19            - '\lsass'
20            - 'lsass.exe'
21    condition: selection
22falsepositives:
23    - Unknown
24level: high

References

GitHub - fortra/nanodump: The swiss army knife of LSASS dumping

The swiss army knife of LSASS dumping. Contribute to fortra/nanodump development by creating an account on GitHub.

Read More

WerFault LSASS Process Memory Dump

Sigma rule (View on GitHub)

References

GitHub - fortra/nanodump: The swiss army knife of LSASS dumping

Related rules