LSASS Memory Access by Tool With Dump Keyword In Name
Detects LSASS process access requests from a source process with the "dump" keyword in its image name.
Sigma rule (View on GitHub)
1title: LSASS Memory Access by Tool With Dump Keyword In Name
2id: 9bd012ee-0dff-44d7-84a0-aa698cfd87a3
3status: test
4description: Detects LSASS process access requests from a source process with the "dump" keyword in its image name.
5references:
6 - https://twitter.com/_xpn_/status/1491557187168178176
7 - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz
8author: Florian Roth (Nextron Systems)
9date: 2022-02-10
10modified: 2023-11-29
11tags:
12 - attack.credential-access
13 - attack.t1003.001
14 - attack.s0002
15logsource:
16 category: process_access
17 product: windows
18detection:
19 selection:
20 TargetImage|endswith: '\lsass.exe'
21 SourceImage|contains: 'dump'
22 GrantedAccess|endswith:
23 - '10'
24 - '30'
25 - '50'
26 - '70'
27 - '90'
28 - 'B0'
29 - 'D0'
30 - 'F0'
31 - '18'
32 - '38'
33 - '58'
34 - '78'
35 - '98'
36 - 'B8'
37 - 'D8'
38 - 'F8'
39 - '1A'
40 - '3A'
41 - '5A'
42 - '7A'
43 - '9A'
44 - 'BA'
45 - 'DA'
46 - 'FA'
47 - '0x14C2' # https://github.com/b4rtik/ATPMiniDump/blob/76304f93b390af3bb66e4f451ca16562a479bdc9/ATPMiniDump/ATPMiniDump.c
48 - 'FF'
49 condition: selection
50falsepositives:
51 - Rare programs that contain the word dump in their name and access lsass
52level: high
References
-
See my notes about writing a simple custom process dumper using MiniDumpWriteDump API: Create a minidump of the lsass.exe using task manager (must be running as administrator): Sometimes Cisco Jabb...
Read More
Related rules
- Credential Dumping Attempt Via WerFault
- LSASS Access From Potentially White-Listed Processes
- Mimikatz Use
- Potential Credential Dumping Activity Via LSASS
- Remote LSASS Process Access Through Windows Remote Management