LSASS Dump Keyword In CommandLine

 1title: LSASS Dump Keyword In CommandLine
 2id: ffa6861c-4461-4f59-8a41-578c39f3f23e
 3related:
 4    - id: a5a2d357-1ab8-4675-a967-ef9990a59391
 5      type: derived
 6status: test
 7description: |
 8        Detects the presence of the keywords "lsass" and ".dmp" in the commandline, which could indicate a potential attempt to dump or create a dump of the lsass process.
 9references:
10    - https://github.com/Hackndo/lsassy
11    - https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf
12    - https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml
13    - https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/
14    - https://github.com/helpsystems/nanodump
15    - https://github.com/CCob/MirrorDump
16author: E.M. Anhaus, Tony Lambert, oscd.community, Nasreddine Bencherchali (Nextron Systems)
17date: 2019/10/24
18modified: 2023/08/29
19tags:
20    - attack.credential_access
21    - attack.t1003.001
22logsource:
23    category: process_creation
24    product: windows
25detection:
26    selection:
27        - CommandLine|contains:
28              - 'lsass.dmp'
29              - 'lsass.zip'
30              - 'lsass.rar'
31              - 'Andrew.dmp'
32              - 'Coredump.dmp'
33              - 'NotLSASS.zip'  # https://github.com/CCob/MirrorDump
34              - 'lsass_2'  # default format of procdump v9.0 is lsass_YYMMDD_HHmmss.dmp
35              - 'lsassdump'
36              - 'lsassdmp'
37        - CommandLine|contains|all:
38              - 'lsass'
39              - '.dmp'
40        - CommandLine|contains|all:
41              - 'SQLDmpr'
42              - '.mdmp'
43        - CommandLine|contains|all:
44              - 'nanodump'
45              - '.dmp'
46    condition: selection
47falsepositives:
48    - Unlikely
49level: high

References

• GitHub - login-securite/lsassy: Extract credentials from lsass remotely

  

  Extract credentials from lsass remotely. Contribute to login-securite/lsassy development by creating an account on GitHub.

  
  Read More

• Some ways to dump LSASS.exe

  

  As always this is for educational purposes. I like to find multiple ways to do the same thing. It helps me learn and writing about it help…

  
  Read More

• detection-rules/rules/windows/credential_access_lsass_memdump_file_created.toml at c76a39796972ecde44cb1da6df47f1b6562c9770 · elastic/detection-rules

  

  Contribute to elastic/detection-rules development by creating an account on GitHub.

  
  Read More

• Attacks & Defenses: Dumping LSASS With No Mimikatz

  

  Talis from White Oak Security demonstrates the tools & the how to guide on both attacks and defenses regarding dumping LSASS without Mimikatz. Read more here.

  
  Read More

• GitHub - fortra/nanodump: The swiss army knife of LSASS dumping

  

  The swiss army knife of LSASS dumping. Contribute to fortra/nanodump development by creating an account on GitHub.

  
  Read More

• GitHub - CCob/MirrorDump: Another LSASS dumping tool that uses a dynamically compiled LSA plugin to grab an lsass handle and API hooking for capturing the dump in memory

  

  Another LSASS dumping tool that uses a dynamically compiled LSA plugin to grab an lsass handle and API hooking for capturing the dump in memory - CCob/MirrorDump

  
  Read More

Related rules

• Antivirus Password Dumper Detection
• Cred Dump Tools Dropped Files
• HackTool - Mimikatz Execution
• HackTool - Windows Credential Editor (WCE) Execution
• Process Memory Dump Via Comsvcs.DLL