WerFault LSASS Process Memory Dump
Detects WerFault creating a dump file with a name that indicates that the dump file could be an LSASS process memory, which contains user credentials
Sigma rule (View on GitHub)
1title: WerFault LSASS Process Memory Dump
2id: c3e76af5-4ce0-4a14-9c9a-25ceb8fda182
3status: test
4description: Detects WerFault creating a dump file with a name that indicates that the dump file could be an LSASS process memory, which contains user credentials
5references:
6 - https://github.com/helpsystems/nanodump
7author: Florian Roth (Nextron Systems)
8date: 2022/06/27
9tags:
10 - attack.credential_access
11 - attack.t1003.001
12logsource:
13 product: windows
14 category: file_event
15detection:
16 selection:
17 Image: C:\WINDOWS\system32\WerFault.exe
18 TargetFilename|contains:
19 - '\lsass'
20 - 'lsass.exe'
21 condition: selection
22falsepositives:
23 - Unknown
24level: high
References
Related rules
- Credential Dumping Tools Service Execution - System
- LSASS Process Dump Artefact In CrashDumps Folder
- Potential Credential Dumping Attempt Via PowerShell Remote Thread
- Potential Credential Dumping Via LSASS SilentProcessExit Technique
- Potential Credential Dumping Via WER