LSASS Dump Keyword In CommandLine

 1title: LSASS Dump Keyword In CommandLine
 2id: ffa6861c-4461-4f59-8a41-578c39f3f23e
 3related:
 4    - id: a5a2d357-1ab8-4675-a967-ef9990a59391
 5      type: derived
 6status: test
 7description: |
 8        Detects the presence of the keywords "lsass" and ".dmp" in the commandline, which could indicate a potential attempt to dump or create a dump of the lsass process.
 9references:
10    - https://github.com/Hackndo/lsassy
11    - https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf
12    - https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml
13    - https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/
14    - https://github.com/helpsystems/nanodump
15    - https://github.com/CCob/MirrorDump
16author: E.M. Anhaus, Tony Lambert, oscd.community, Nasreddine Bencherchali (Nextron Systems)
17date: 2019-10-24
18modified: 2023-08-29
19tags:
20    - attack.credential-access
21    - attack.t1003.001
22logsource:
23    category: process_creation
24    product: windows
25detection:
26    selection:
27        - CommandLine|contains:
28              - 'lsass.dmp'
29              - 'lsass.zip'
30              - 'lsass.rar'
31              - 'Andrew.dmp'
32              - 'Coredump.dmp'
33              - 'NotLSASS.zip'  # https://github.com/CCob/MirrorDump
34              - 'lsass_2'  # default format of procdump v9.0 is lsass_YYMMDD_HHmmss.dmp
35              - 'lsassdump'
36              - 'lsassdmp'
37        - CommandLine|contains|all:
38              - 'lsass'
39              - '.dmp'
40        - CommandLine|contains|all:
41              - 'SQLDmpr'
42              - '.mdmp'
43        - CommandLine|contains|all:
44              - 'nanodump'
45              - '.dmp'
46    condition: selection
47falsepositives:
48    - Unlikely
49level: high

References

• GitHub - login-securite/lsassy: Extract credentials from lsass remotely

  

  Extract credentials from lsass remotely. Contribute to login-securite/lsassy development by creating an account on GitHub.

  
  Read More

• Some ways to dump LSASS.exe

  

  As always this is for educational purposes. I like to find multiple ways to do the same thing. It helps me learn and writing about it help…

  
  Read More

• detection-rules/rules/windows/credential_access_lsass_memdump_file_created.toml at c76a39796972ecde44cb1da6df47f1b6562c9770 · elastic/detection-rules

  

  Contribute to elastic/detection-rules development by creating an account on GitHub.

  
  Read More

• Cyber Advisors - Your Cyber Security Partner

  

  Protect your business with Cyber Advisors' customizable cybersecurity solutions. From penetration testing to managed IT services, we prioritize your security needs. Let's secure your business today!

  
  Read More

• GitHub - fortra/nanodump: The swiss army knife of LSASS dumping

  

  The swiss army knife of LSASS dumping. Contribute to fortra/nanodump development by creating an account on GitHub.

  
  Read More

• GitHub - CCob/MirrorDump: Another LSASS dumping tool that uses a dynamically compiled LSA plugin to grab an lsass handle and API hooking for capturing the dump in memory

  

  Another LSASS dumping tool that uses a dynamically compiled LSA plugin to grab an lsass handle and API hooking for capturing the dump in memory - CCob/MirrorDump

  
  Read More

Related rules

• APT31 Judgement Panda Activity
• Cred Dump Tools Dropped Files
• Credential Dumping Activity By Python Based Tool
• Credential Dumping Attempt Via WerFault
• Credential Dumping Tools Service Execution - Security