HackTool - CreateMiniDump Execution
Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine
Sigma rule (View on GitHub)
1title: HackTool - CreateMiniDump Execution
2id: 36d88494-1d43-4dc0-b3fa-35c8fea0ca9d
3status: test
4description: Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine
5references:
6 - https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass
7author: Florian Roth (Nextron Systems)
8date: 2019-12-22
9modified: 2024-11-23
10tags:
11 - attack.credential-access
12 - attack.t1003.001
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 - Image|endswith: '\CreateMiniDump.exe'
19 - Hashes|contains: 'IMPHASH=4a07f944a83e8a7c2525efa35dd30e2f'
20 condition: selection
21falsepositives:
22 - Unknown
23level: high
References
Related rules
- HackTool - HandleKatz LSASS Dumper Execution
- HackTool - Windows Credential Editor (WCE) Execution
- Antivirus Password Dumper Detection
- Potentially Suspicious AccessMask Requested From LSASS
- LSASS Process Memory Dump Files