Lsass Full Dump Request Via DumpType Registry Settings

calendar Aug 12, 2024 · attack.credential-access attack.t1003.001  ·
Share on: linkedin copy

Detects the setting of the "DumpType" registry value to "2" which stands for a "Full Dump". Technique such as LSASS Shtinkering requires this value to be "2" in order to dump LSASS.

Sigma rule (View on GitHub)

 1title: Lsass Full Dump Request Via DumpType Registry Settings
 2id: 33efc23c-6ea2-4503-8cfe-bdf82ce8f719
 3status: test
 4description: Detects the setting of the "DumpType" registry value to "2" which stands for a "Full Dump". Technique such as LSASS Shtinkering requires this value to be "2" in order to dump LSASS.
 5references:
 6    - https://github.com/deepinstinct/Lsass-Shtinkering
 7    - https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps
 8    - https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf
 9author: '@pbssubhash'
10date: 2022-12-08
11modified: 2023-08-17
12tags:
13    - attack.credential-access
14    - attack.t1003.001
15logsource:
16    category: registry_set
17    product: windows
18detection:
19    selection:
20        TargetObject|contains:
21            - '\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\DumpType'
22            - '\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\lsass.exe\DumpType'
23        Details: 'DWORD (0x00000002)' # Full Dump
24    condition: selection
25falsepositives:
26    - Legitimate application that needs to do a full dump of their process
27level: high

References

  • GitHub - deepinstinct/Lsass-Shtinkering

    Contribute to deepinstinct/Lsass-Shtinkering development by creating an account on GitHub.


    Read More

  • Collecting User-Mode Dumps - Win32 apps

    Starting with Windows Server 2008 and Windows Vista with Service Pack 1 (SP1), Windows Error Reporting (WER) can be configured so that full user-mode dumps are collected and stored locally after a user-mode application crashes.


    Read More

  • ×¼®Ý´INN6Í<½üÒ³fäyNJ¶ìE.Ó$ææ78ÜtôDFU½ƒddþÆà:*:0kvàÌ|·±ãy"ÖU•bØ€ÉÃþ&{‚ŠÆM#¹ö#0Õötwƒ'ªÕee¥¥ù%%Ú(*†˜SXAxBÞœ9¹yy÷Â6¨YÔ´ãdÏïϽµõÄ©ª…‹ŒýuôÜwßœûígO^¹Ô¸aCå’%š…�óêê!ʪª J5pù¬�ÒRˆÈŠ1ÅÅ...


    Read More

Related rules

to-top