2020-06-10 16:32:30 +02:00
title : LSASS Memory Dump
id : 5ef9853e-4d0e-4a70-846f-a9ca37d876da
status : experimental
2022-01-26 08:12:49 -07:00
description : Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.
author : Samir Bousseaden, Michael Haag
2020-06-10 16:32:30 +02:00
date : 2019 /04/03
2022-03-20 16:18:18 +01:00
modified : 2022 /03/20
2020-06-10 16:32:30 +02:00
references :
- https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html
2022-01-26 08:12:49 -07:00
- https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md
- https://research.splunk.com/endpoint/windows_possible_credential_dumping/
2020-06-10 16:32:30 +02:00
tags :
- attack.credential_access
2020-08-23 02:03:06 +00:00
- attack.t1003.001
- attack.s0002
2020-06-10 16:32:30 +02:00
logsource :
category : process_access
product : windows
detection :
selection :
2021-06-21 21:19:04 +02:00
TargetImage|endswith : '\lsass.exe'
2022-01-26 08:12:49 -07:00
GrantedAccess|contains :
2022-02-12 00:40:10 +01:00
#- '0x1fffff' # Too many false positives
#- '0x01000' # Too many false positives
#- '0x1010' # Too many false positives
- '0x1038'
2022-03-20 16:18:18 +01:00
# - '0x40' # Too many false positives
2022-02-12 00:40:10 +01:00
#- '0x1400' # Too many false positives
# - '0x1410' # Too many false positives
- '0x1438'
- '0x143a'
2020-10-15 17:17:57 -03:00
CallTrace|contains :
2022-02-12 00:40:10 +01:00
- 'dbghelp.dll'
- 'dbgcore.dll'
- 'ntdll.dll'
2020-06-10 16:32:30 +02:00
condition : selection
falsepositives :
2022-01-26 08:12:49 -07:00
- False positives are present when looking for 0x1410. Exclusions may be required.
level : high
