Detects file creation events with filename patterns used by CrackMapExec.

Read More

Detects uses of the createdump.exe LOLOBIN utility to dump process memory

Read More

Detects the use of "DumpMinitool.exe" a tool that allows the dump of process memory via the use of the "MiniDumpWriteDump"

Read More

Detects HandleKatz opening LSASS to duplicate its handle to later dump the memory without opening any new handles

Read More

Detects suspicious use of XORDump process memory dumping utility

Read More

Detects uses of the SysInternals ProcDump utility in which ProcDump or its output get renamed, or a dump file is moved or copied to a different name

Read More

Detects usage of the SysInternals Procdump utility

Read More

Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory

Read More

Detects suspicious ways to use the "DumpMinitool.exe" binary

Read More

Detects execution of "AdPlus.exe", a binary that is part of the Windows SDK that can be used as a LOLBIN in order to dump process memory and execute arbitrary commands.

Read More

Detection of well-known mimikatz command line arguments. Added more commandline indicators from referenced rule by author - Teymur Kheirkhabarov, oscd.community

Read More

Detects a process memory dump via "comsvcs.dll" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.)

Read More

Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory

Read More

Detects process access requests to the LSASS process with specific call trace calls and access masks. This behaviour is expressed by many credential dumping tools such as Mimikatz, NanoDump, Invoke-Mimikatz, Procdump and even the Taskmgr dumping feature.

Read More

Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine

Read More

Detects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same

Read More

Detects the use of Windows Credential Editor (WCE)

Read More

Detects a highly relevant Antivirus alert that reports a password dumper. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.

Read More

Detects process handle on LSASS process with certain access mask

Read More

Detects creation of files with names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials.

Read More

Detects process access requests from hacktool processes based on their default image name

Read More

Detects process access requests to LSASS process with potentially suspicious access flags

Read More

Detects the creation of an "lsass.dmp" file by the taskmgr process. This indicates a manual dumping of the LSASS.exe process memory using Windows Task Manager.

Read More

Detects the use of the Microsoft Windows Resource Leak Diagnostic tool "rdrleakdiag.exe" to dump process memory

Read More

Detects APT31 Judgement Panda activity as described in the Crowdstrike 2019 Global Threat Report

Read More

Files with well-known filenames (parts of credential dump software or files produced by them) creation

Read More

Detects LSASS process access for potential credential dumping by a Python-like tool such as LaZagne or Pypykatz.

Read More

Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.

Read More

Detects well-known credential dumping tools execution via service execution events

Read More

Detects well-known credential dumping tools execution via service execution events

Read More

Detects process dump via legitimate sqldumper.exe binary

Read More

Detects suspicious process patterns found in logs when CrackMapExec is used

Read More

Detects well-known credential dumping tools execution via specific named pipe creation

Read More

Detects the creation of the default dump file used by Outflank Dumpert tool. A process dumper, which dumps the lsass process memory

Read More

Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool

Read More

Detection well-known mimikatz command line arguments

Read More

Detects default lsass dump filename generated by SafetyKatz.

Read More

Detects the execution of the hacktool SafetyKatz via PE information and default Image name

Read More

Detects Access to LSASS Process

Read More

Detects potential mimikatz-like tools accessing LSASS from non system account

Read More

Detects a possible process memory dump that uses a white-listed filename like TrolleyExpress.exe as a way to dump the LSASS process memory without Microsoft Defender interference

Read More

Detects the presence of the keywords "lsass" and ".dmp" in the commandline, which could indicate a potential attempt to dump or create a dump of the lsass process.

Read More

Detects the setting of the "DumpType" registry value to "2" which stands for a "Full Dump". Technique such as LSASS Shtinkering requires this value to be "2" in order to dump LSASS.

Read More

Detects LSASS process access requests from a source process with the "dump" keyword in its image name.

Read More

Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass.

Read More

Detects the presence of an LSASS dump file in the "CrashDumps" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Error Reporting to dump said process.

Read More

This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)

Read More

Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and Windows eventlogs are cleared using wevtutil

Read More

Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN

Read More

Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundreds of events.

Read More

Detects remote thread creation by PowerShell processes into "lsass.exe"

Read More

Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity

Read More

Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process

Read More

Detects potential credential dumping via Windows Error Reporting LSASS Shtinkering technique which uses the Windows Error Reporting to dump lsass

Read More

Detects Windows error reporting event where the process that crashed is lsass. This could be the cause of an intentional crash by techniques such as Lsass-Shtinkering to dump credential

Read More

Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we are also able to catch cases in which the attacker has renamed the procdump executable.

Read More

Detects when a user is potentially trying to bypass the Windows Defender AV by renaming a tool to dump64.exe and placing it in the Visual Studio folder. Currently the rule is covering only usage of procdump but other utilities can be added in order to increase coverage.

Read More

Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity

Read More

Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory

Read More

Detects remote access to the LSASS process via WinRM. This could be a sign of credential dumping from tools like mimikatz.

Read More

Detects suspicious access to LSASS handle via a call trace to "seclogon.dll" with a suspicious access right.

Read More

Detects rundll32 loading a renamed comsvcs.dll to dump process memory

Read More

Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes. Tools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.

Read More

Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.

Read More

Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.

Read More

Transferring files with well-known filenames (sensitive files with credential data) using network shares

Read More

Transferring files with well-known filenames (sensitive files with credential data) using network shares

Read More

Loading unsigned image (DLL, EXE) into LSASS process

Read More

Detects WerFault creating a dump file with a name that indicates that the dump file could be an LSASS process memory, which contains user credentials

Read More

Detects the use of Windows Credential Editor (WCE)

Read More

Detects potential LSASS abuse based on unusual parent-child process lineage patterns. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects suspicious cross-process events where LSASS is accessed. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects instances of LSASS running under any non-privileged user context, which can indicate abuse. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects processes that seem to be rundll32.exe along with a command line containing the term MiniDump. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects potential lsass.exe abuse based on unusual and suspicious parent-child relationships. Inspired by the 2022 Red Canary Threat Detection report.

Read More

Detects obviously suspicious cross-process events targetting lsass.exe. Inspired by the 2022 Red Canary Threat Detection report.

Read More