rules/windows/process_creation/proc_creation_win_lsass_dump.yml

title: LSASS Memory Dumping
id: ffa6861c-4461-4f59-8a41-578c39f3f23e
status: test
description: Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials. Identifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials.
author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community
references:
  - https://eqllib.readthedocs.io/en/latest/analytics/1e1ef6be-12fc-11e9-8d76-4d6bb837cda4.html
  - https://eqllib.readthedocs.io/en/latest/analytics/210b4ea4-12fc-11e9-8d76-4d6bb837cda4.html
  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md
date: 2019/10/24
modified: 2021/11/27
logsource:
  category: process_creation
  product: windows
detection:
  selection1:
    CommandLine|contains|all:
      - 'lsass'
      - '.dmp'
  selection2:
    Image|endswith: '\werfault.exe'
  selection3:
    Image|contains: '\procdump'
    Image|endswith: '.exe'
    CommandLine|contains: 'lsass'
  condition: selection1 and not selection2 or selection3
fields:
  - ComputerName
  - User
  - CommandLine
falsepositives:
  - Unlikely
level: high
tags:
  - attack.credential_access
  - attack.t1003.001
Added Atomic Blue Detections Repo 2019-10-28 11:59:49 +01:00			`title: LSASS Memory Dumping`
UUIDs + moved unsupported logic 2019-12-19 23:56:36 +01:00			`id: ffa6861c-4461-4f59-8a41-578c39f3f23e`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`status: test`
Initial round of subtechnique updates 2020-06-16 14:46:08 -06:00			`description: Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials. Identifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials.`
fixed various spelling errors all over rules and source code 2021-02-24 14:43:13 +00:00			`author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community`
Update win_lsass_dump.yml 2019-11-11 21:46:54 +03:00			`references:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`- https://eqllib.readthedocs.io/en/latest/analytics/1e1ef6be-12fc-11e9-8d76-4d6bb837cda4.html`
			`- https://eqllib.readthedocs.io/en/latest/analytics/210b4ea4-12fc-11e9-8d76-4d6bb837cda4.html`
			`- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md`
			`date: 2019/10/24`
			`modified: 2021/11/27`
OSCD QA wave 1 2020-01-11 00:11:27 +01:00			`logsource:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`category: process_creation`
			`product: windows`
Added Atomic Blue Detections Repo 2019-10-28 11:59:49 +01:00			`detection:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`selection1:`
			`CommandLine\|contains\|all:`
			`- 'lsass'`
			`- '.dmp'`
			`selection2:`
			`Image\|endswith: '\werfault.exe'`
			`selection3:`
			`Image\|contains: '\procdump'`
			`Image\|endswith: '.exe'`
			`CommandLine\|contains: 'lsass'`
			`condition: selection1 and not selection2 or selection3`
OSCD QA wave 1 2020-01-11 00:11:27 +01:00			`fields:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`- ComputerName`
			`- User`
			`- CommandLine`
Added Atomic Blue Detections Repo 2019-10-28 11:59:49 +01:00			`falsepositives:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`- Unlikely`
Added Atomic Blue Detections Repo 2019-10-28 11:59:49 +01:00			`level: high`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`tags:`
			`- attack.credential_access`
			`- attack.t1003.001`