HackTool - CreateMiniDump Execution

Feb 4, 2023 · attack.credential_access attack.t1003.001 ·

Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine

Sigma rule (View on GitHub)

 1title: HackTool - CreateMiniDump Execution
 2id: 36d88494-1d43-4dc0-b3fa-35c8fea0ca9d
 3status: test
 4description: Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine
 5references:
 6    - https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass
 7author: Florian Roth (Nextron Systems)
 8date: 2019/12/22
 9modified: 2023/02/04
10tags:
11    - attack.credential_access
12    - attack.t1003.001
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection:
18        - Image|endswith: '\CreateMiniDump.exe'
19        - Imphash: '4a07f944a83e8a7c2525efa35dd30e2f'
20        - Hashes|contains: 'IMPHASH=4a07f944a83e8a7c2525efa35dd30e2f'
21    condition: selection
22falsepositives:
23    - Unknown
24level: high

References

Dumping Lsass without Mimikatz with MiniDumpWriteDump | Red Team Notes

Evasion, Credential Dumping

Read More

HackTool - CreateMiniDump Execution

Sigma rule (View on GitHub)

References

Dumping Lsass without Mimikatz with MiniDumpWriteDump | Red Team Notes

Related rules