car.2013-05-009

Potential Defense Evasion Via Rename Of Highly Relevant Binaries

Apr 28, 2026 · attack.stealth attack.t1036.003 car.2013-05-009 ·

Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.

Potential LSASS Process Dump Via Procdump

Apr 28, 2026 · attack.stealth attack.t1036 attack.credential-access attack.t1003.001 car.2013-05-009 ·

Share on:

Detects potential credential harvesting attempts through LSASS memory dumps using ProcDump. This rule identifies suspicious command-line patterns that combine memory dump flags (-ma, -mm, -mp) with LSASS-related process markers. LSASS (Local Security Authority Subsystem Service) contains sensitive authentication data including plaintext passwords, NTLM hashes, and Kerberos tickets in memory. Attackers commonly dump LSASS memory to extract credentials for lateral movement and privilege escalation.

Process Memory Dump Via Comsvcs.DLL

Apr 28, 2026 · attack.credential-access attack.stealth attack.t1036 attack.t1003.001 car.2013-05-009 ·

Share on:

Detects a process memory dump via "comsvcs.dll" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.)

Ps.exe Renamed SysInternals Tool

Apr 28, 2026 · attack.stealth attack.g0035 attack.t1036.003 car.2013-05-009 detection.emerging-threats ·

Share on:

Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report