HackTool - CreateMiniDump Execution
Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine
Sigma rule (View on GitHub)
1title: HackTool - CreateMiniDump Execution
2id: 36d88494-1d43-4dc0-b3fa-35c8fea0ca9d
3status: test
4description: Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine
5references:
6 - https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass
7author: Florian Roth (Nextron Systems)
8date: 2019-12-22
9modified: 2023-02-04
10tags:
11 - attack.credential-access
12 - attack.t1003.001
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 - Image|endswith: '\CreateMiniDump.exe'
19 - Imphash: '4a07f944a83e8a7c2525efa35dd30e2f'
20 - Hashes|contains: 'IMPHASH=4a07f944a83e8a7c2525efa35dd30e2f'
21 condition: selection
22falsepositives:
23 - Unknown
24level: high
References
Related rules
- APT31 Judgement Panda Activity
- Cred Dump Tools Dropped Files
- Credential Dumping Activity By Python Based Tool
- Credential Dumping Attempt Via WerFault
- Credential Dumping Tools Service Execution - Security