Potential LSASS Process Dump Via Procdump

calendar Oct 20, 2025 · attack.defense-evasion attack.t1036 attack.credential-access attack.t1003.001 car.2013-05-009  ·
Share on: linkedin copy

Detects potential credential harvesting attempts through LSASS memory dumps using ProcDump. This rule identifies suspicious command-line patterns that combine memory dump flags (-ma, -mm, -mp) with LSASS-related process markers. LSASS (Local Security Authority Subsystem Service) contains sensitive authentication data including plaintext passwords, NTLM hashes, and Kerberos tickets in memory. Attackers commonly dump LSASS memory to extract credentials for lateral movement and privilege escalation.

Sigma rule (View on GitHub)

 1title: Potential LSASS Process Dump Via Procdump
 2id: 5afee48e-67dd-4e03-a783-f74259dcf998
 3status: stable
 4description: |
 5    Detects potential credential harvesting attempts through LSASS memory dumps using ProcDump.
 6    This rule identifies suspicious command-line patterns that combine memory dump flags (-ma, -mm, -mp) with LSASS-related process markers.
 7    LSASS (Local Security Authority Subsystem Service) contains sensitive authentication data including plaintext passwords, NTLM hashes, and Kerberos tickets in memory.
 8    Attackers commonly dump LSASS memory to extract credentials for lateral movement and privilege escalation.    
 9references:
10    - https://learn.microsoft.com/en-us/sysinternals/downloads/procdump
11    - https://research.splunk.com/endpoint/3742ebfe-64c2-11eb-ae93-0242ac130002
12    - https://x.com/wietze/status/1958302556033065292?s=12
13author: Florian Roth (Nextron Systems)
14date: 2018-10-30
15modified: 2025-10-19
16tags:
17    - attack.defense-evasion
18    - attack.t1036
19    - attack.credential-access
20    - attack.t1003.001
21    - car.2013-05-009
22logsource:
23    category: process_creation
24    product: windows
25detection:
26    selection_flags:
27        CommandLine|contains|windash:
28            - ' -ma '
29            - ' -mm ' # Mini dump
30            - ' -mp ' # Miniplus dump
31    selection_process:
32        CommandLine|contains:
33            - ' ls' # Short for lsass
34            - ' keyiso'
35            - ' samss'
36    condition: all of selection_*
37falsepositives:
38    - Unlikely, because no one should dump an lsass process memory
39    - Another tool that uses command line flags similar to ProcDump
40level: high

References

  • ProcDump - Sysinternals

    This command-line utility is aimed at capturing process dumps of otherwise difficult to isolate and reproduce CPU spikes.


    Read More

  • Detection: Dump LSASS via procdump

    Updated Date: 2025-05-02 ID: 3742ebfe-64c2-11eb-ae93-0242ac130002 Author: Michael Haag, Splunk Type: TTP Product: Splunk Enterprise Security Description The following analytic detects the use of procdump.exe to dump the LSASS process, specifically looking for the -mm and -ma command-line arguments. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, command-line executions, and parent processes. This activity is significant because dumping LSASS can expose sensitive credentials, posing a severe security risk.


    Read More

  • Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.


    Read More

Related rules

to-top