Detects file names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials

Detects process access to LSASS memory with suspicious access flags

Detects a process memory dump via "comsvcs.dll" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.)

Detects the creation of the default dump file used by Outflank Dumpert tool. A process dumper, which dumps the lsass process memory

Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we are also able to catch cases in which the attacker has renamed the procdump executable.

Detects uses of the SysInternals ProcDump utility in which ProcDump or its output get renamed, or a dump file is moved or copied to a different name

Detects process access to LSASS memory with suspicious access flags and from a potentially suspicious folder

Detects remote thread creation by PowerShell processes into "lsass.exe"

Detects the use of the Microsoft Windows Resource Leak Diagnostic tool "rdrleakdiag.exe" to dump process memory

Detects well-known credential dumping tools execution via service execution events

Detects windows error reporting event where the process that crashed is lsass. This could be the cause of an intentional crash by techniques such as Lsass-Shtinkering to dump credential

Detects the use of "DumpMinitool.exe" a tool that allows the dump of process memory via the use of the "MiniDumpWriteDump"

Detects suspicious ways to use the "DumpMinitool.exe" binary

Detects uses of the createdump.exe LOLOBIN utility to dump process memory

Detects process access to LSASS memory with suspicious access flags 0x410 and 0x01410 (spin-off of similar rule)

Detects when a user bypasses Defender by renaming a tool to dump64.exe and placing it in a Visual Studio folder

Detects process handle on LSASS process with certain access mask

Detects processes requesting access to LSASS memory via suspicious access masks. This is typical for credentials dumping tools

Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes. Tools like ProcessHacker and some attacker tradecraft use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.

Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials. Identifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials.

Detects potential credential dumping via Windows Error Reporting LSASS Shtinkering technique which uses the Windows Error Reporting to dump lsass

Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory

Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity

Detects usage of the SysInternals Procdump utility

Transferring files with well-known filenames (sensitive files with credential data) using network shares

Detection well-known mimikatz command line arguments

Detects default lsass dump filename from SafetyKatz

Detects rundll32 loading a renamed comsvcs.dll to dump process memory

Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes. Tools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.

Detects suspicious process patterns found in logs when CrackMapExec is used

Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory

Detects suspicious use of XORDump process memory dumping utility

Detects potential mimikatz-like tools accessing LSASS from non system account

Detects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same

Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine

Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory

Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool

Detects the execution of the hacktool SafetyKatz via PE information and default Image name

Detects the use of Windows Credential Editor (WCE)

Detects a highly relevant Antivirus alert that reports a password dumper

Detects suspicious file creation patterns found in logs when CrackMapExec is used

Detects well-known credential dumping tools execution via service execution events

Detects well-known credential dumping tools execution via service execution events

Detects a possible process memory dump that uses the white-listed filename like TrolleyExpress.exe as a way to dump the lsass process memory without Microsoft Defender interference

Detects a possible process memory dump based on a keyword in the file name of the accessing process

This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)

Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process

Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity

The "AdPlus.exe" binary that is part of the Windows SDK can be used as a lolbin to dump process memory and execute arbitrary commands

Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.