LSASS Access From Potentially White-Listed Processes
Detects a possible process memory dump that uses a white-listed filename like TrolleyExpress.exe as a way to dump the LSASS process memory without Microsoft Defender interference
Sigma rule (View on GitHub)
1title: LSASS Access From Potentially White-Listed Processes
2id: 4be8b654-0c01-4c9d-a10c-6b28467fc651
3status: test
4description: |
5 Detects a possible process memory dump that uses a white-listed filename like TrolleyExpress.exe as a way to dump the LSASS process memory without Microsoft Defender interference
6references:
7 - https://twitter.com/_xpn_/status/1491557187168178176
8 - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz
9 - https://twitter.com/mrd0x/status/1460597833917251595
10author: Florian Roth (Nextron Systems)
11date: 2022-02-10
12modified: 2023-11-29
13tags:
14 - attack.credential-access
15 - attack.t1003.001
16 - attack.s0002
17logsource:
18 category: process_access
19 product: windows
20detection:
21 selection:
22 TargetImage|endswith: '\lsass.exe'
23 SourceImage|endswith:
24 - '\TrolleyExpress.exe' # Citrix
25 - '\ProcessDump.exe' # Cisco Jabber
26 - '\dump64.exe' # Visual Studio
27 GrantedAccess|endswith:
28 - '10'
29 - '30'
30 - '50'
31 - '70'
32 - '90'
33 - 'B0'
34 - 'D0'
35 - 'F0'
36 - '18'
37 - '38'
38 - '58'
39 - '78'
40 - '98'
41 - 'B8'
42 - 'D8'
43 - 'F8'
44 - '1A'
45 - '3A'
46 - '5A'
47 - '7A'
48 - '9A'
49 - 'BA'
50 - 'DA'
51 - 'FA'
52 - '0x14C2' # https://github.com/b4rtik/ATPMiniDump/blob/76304f93b390af3bb66e4f451ca16562a479bdc9/ATPMiniDump/ATPMiniDump.c
53 - 'FF'
54 condition: selection
55falsepositives:
56 - Unknown
57level: high
References
Related rules
- Credential Dumping Attempt Via WerFault
- LSASS Memory Access by Tool With Dump Keyword In Name
- Mimikatz Use
- Potential Credential Dumping Activity Via LSASS
- Remote LSASS Process Access Through Windows Remote Management