Merge PR #4493 From @swachchhanda000
new: LSASS Process Memory Dump Creation Via Taskmgr.EXE --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
This commit is contained in:
Swachchhanda Shrawan Poudel
committed by
GitHub
GitHub
parent
f91066f09f
commit
4dc36bf6bd
@@ -0,0 +1,27 @@
|
||||
title: LSASS Process Memory Dump Creation Via Taskmgr.EXE
|
||||
id: 69ca12af-119d-44ed-b50f-a47af0ebc364
|
||||
status: experimental
|
||||
description: Detects the creation of an "lsass.dmp" file by the taskmgr process. This indicates a manual dumping of the LSASS.exe process memory using Windows Task Manager.
|
||||
author: Swachchhanda Shrawan Poudel
|
||||
date: 2023/10/19
|
||||
references:
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/987e3ca988ae3cff4b9f6e388c139c05bf44bbb8/atomics/T1003.001/T1003.001.md#L1
|
||||
tags:
|
||||
- attack.credential_access
|
||||
- attack.t1003.001
|
||||
logsource:
|
||||
category: file_event
|
||||
product: windows
|
||||
detection:
|
||||
selection:
|
||||
Image|endswith:
|
||||
- ':\Windows\system32\taskmgr.exe'
|
||||
- ':\Windows\SysWOW64\taskmgr.exe'
|
||||
TargetFilename|contains|all:
|
||||
- '\AppData\Local\Temp\'
|
||||
- '\lsass'
|
||||
- '.DMP'
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- Rare case of troubleshooting by an administrator or support that has to be investigated regardless
|
||||
level: high
|
||||
Reference in New Issue
Block a user