LSASS Process Memory Dump Creation Via Taskmgr.EXE
Detects the creation of an "lsass.dmp" file by the taskmgr process. This indicates a manual dumping of the LSASS.exe process memory using Windows Task Manager.
Sigma rule (View on GitHub)
1title: LSASS Process Memory Dump Creation Via Taskmgr.EXE
2id: 69ca12af-119d-44ed-b50f-a47af0ebc364
3status: test
4description: Detects the creation of an "lsass.dmp" file by the taskmgr process. This indicates a manual dumping of the LSASS.exe process memory using Windows Task Manager.
5author: Swachchhanda Shrawan Poudel
6date: 2023-10-19
7references:
8 - https://github.com/redcanaryco/atomic-red-team/blob/987e3ca988ae3cff4b9f6e388c139c05bf44bbb8/atomics/T1003.001/T1003.001.md#L1
9tags:
10 - attack.credential-access
11 - attack.t1003.001
12logsource:
13 category: file_event
14 product: windows
15detection:
16 selection:
17 Image|endswith:
18 - ':\Windows\system32\taskmgr.exe'
19 - ':\Windows\SysWOW64\taskmgr.exe'
20 TargetFilename|contains|all:
21 - '\AppData\Local\Temp\'
22 - '\lsass'
23 - '.DMP'
24 condition: selection
25falsepositives:
26 - Rare case of troubleshooting by an administrator or support that has to be investigated regardless
27level: high
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Process Memory Dump via RdrLeakDiag.EXE
- APT31 Judgement Panda Activity
- Cred Dump Tools Dropped Files
- Credential Dumping Activity By Python Based Tool
- Credential Dumping Attempt Via WerFault