HackTool - CreateMiniDump Execution
Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine
Sigma rule (View on GitHub)
1title: HackTool - CreateMiniDump Execution
2id: 36d88494-1d43-4dc0-b3fa-35c8fea0ca9d
3status: test
4description: Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine
5references:
6 - https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass
7author: Florian Roth (Nextron Systems)
8date: 2019/12/22
9modified: 2023/02/04
10tags:
11 - attack.credential_access
12 - attack.t1003.001
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 - Image|endswith: '\CreateMiniDump.exe'
19 - Imphash: '4a07f944a83e8a7c2525efa35dd30e2f'
20 - Hashes|contains: 'IMPHASH=4a07f944a83e8a7c2525efa35dd30e2f'
21 condition: selection
22falsepositives:
23 - Unknown
24level: high
References
Related rules
- HackTool - Dumpert Process Dumper Execution
- Mimikatz Use
- PowerShell Get-Process LSASS in ScriptBlock
- Windows Credential Editor Registry
- Mimikatz Command Line With Ticket Export