From 4dc36bf6bdbc9d7afb0b536adbb133ab70bc10a1 Mon Sep 17 00:00:00 2001
From: Swachchhanda Shrawan Poudel
 <87493836+swachchhanda000@users.noreply.github.com>
Date: Thu, 19 Oct 2023 21:52:12 +0545
Subject: [PATCH] Merge PR #4493 From @swachchhanda000

new: LSASS Process Memory Dump Creation Via Taskmgr.EXE

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
---
 .../file_event_win_taskmgr_lsass_dump.yml     | 27 +++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 rules/windows/file/file_event/file_event_win_taskmgr_lsass_dump.yml

diff --git a/rules/windows/file/file_event/file_event_win_taskmgr_lsass_dump.yml b/rules/windows/file/file_event/file_event_win_taskmgr_lsass_dump.yml
new file mode 100644
index 000000000..0fbc2c3c9
--- /dev/null
+++ b/rules/windows/file/file_event/file_event_win_taskmgr_lsass_dump.yml
@@ -0,0 +1,27 @@
+title: LSASS Process Memory Dump Creation Via Taskmgr.EXE
+id: 69ca12af-119d-44ed-b50f-a47af0ebc364
+status: experimental
+description: Detects the creation of an "lsass.dmp" file by the taskmgr process. This indicates a manual dumping of the LSASS.exe process memory using Windows Task Manager.
+author: Swachchhanda Shrawan Poudel
+date: 2023/10/19
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/987e3ca988ae3cff4b9f6e388c139c05bf44bbb8/atomics/T1003.001/T1003.001.md#L1
+tags:
+    - attack.credential_access
+    - attack.t1003.001
+logsource:
+    category: file_event
+    product: windows
+detection:
+    selection:
+        Image|endswith:
+            - ':\Windows\system32\taskmgr.exe'
+            - ':\Windows\SysWOW64\taskmgr.exe'
+        TargetFilename|contains|all:
+            - '\AppData\Local\Temp\'
+            - '\lsass'
+            - '.DMP'
+    condition: selection
+falsepositives:
+    - Rare case of troubleshooting by an administrator or support that has to be investigated regardless
+level: high