Potential LSASS Process Dump Via Procdump

calendar Mar 15, 2024 · attack.defense_evasion attack.t1036 attack.credential_access attack.t1003.001 car.2013-05-009  ·
Share on: linkedin copy

Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we are also able to catch cases in which the attacker has renamed the procdump executable.

Sigma rule (View on GitHub)

 1title: Potential LSASS Process Dump Via Procdump
 2id: 5afee48e-67dd-4e03-a783-f74259dcf998
 3status: stable
 4description: |
 5    Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process.
 6    This way we are also able to catch cases in which the attacker has renamed the procdump executable.    
 7references:
 8    - https://learn.microsoft.com/en-us/sysinternals/downloads/procdump
 9author: Florian Roth (Nextron Systems)
10date: 2018/10/30
11modified: 2024/03/13
12tags:
13    - attack.defense_evasion
14    - attack.t1036
15    - attack.credential_access
16    - attack.t1003.001
17    - car.2013-05-009
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection_flags:
23        CommandLine|contains|windash: ' -ma '
24    selection_process:
25        CommandLine|contains: ' ls' # Short for lsass
26    condition: all of selection*
27falsepositives:
28    - Unlikely, because no one should dump an lsass process memory
29    - Another tool that uses command line flags similar to ProcDump
30level: high

References

Related rules

to-top