Potential LSASS Process Dump Via Procdump

calendar Aug 12, 2024 · attack.defense-evasion attack.t1036 attack.credential-access attack.t1003.001 car.2013-05-009  ·
Share on: linkedin copy

Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we are also able to catch cases in which the attacker has renamed the procdump executable.

Sigma rule (View on GitHub)

 1title: Potential LSASS Process Dump Via Procdump
 2id: 5afee48e-67dd-4e03-a783-f74259dcf998
 3status: stable
 4description: |
 5    Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process.
 6    This way we are also able to catch cases in which the attacker has renamed the procdump executable.    
 7references:
 8    - https://learn.microsoft.com/en-us/sysinternals/downloads/procdump
 9author: Florian Roth (Nextron Systems)
10date: 2018-10-30
11modified: 2024-03-13
12tags:
13    - attack.defense-evasion
14    - attack.t1036
15    - attack.credential-access
16    - attack.t1003.001
17    - car.2013-05-009
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection_flags:
23        CommandLine|contains|windash: ' -ma '
24    selection_process:
25        CommandLine|contains: ' ls' # Short for lsass
26    condition: all of selection*
27falsepositives:
28    - Unlikely, because no one should dump an lsass process memory
29    - Another tool that uses command line flags similar to ProcDump
30level: high

References

Related rules

to-top