title: LSASS Memory Dumping
id: ffa6861c-4461-4f59-8a41-578c39f3f23e
status: test
description: Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials. Identifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials.
author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community
references:
  - https://eqllib.readthedocs.io/en/latest/analytics/1e1ef6be-12fc-11e9-8d76-4d6bb837cda4.html
  - https://eqllib.readthedocs.io/en/latest/analytics/210b4ea4-12fc-11e9-8d76-4d6bb837cda4.html
  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md
date: 2019/10/24
modified: 2021/11/27
logsource:
  category: process_creation
  product: windows
detection:
  selection1:
    CommandLine|contains|all:
      - 'lsass'
      - '.dmp'
  selection2:
    Image|endswith: '\werfault.exe'
  selection3:
    Image|contains: '\procdump'
    Image|endswith: '.exe'
    CommandLine|contains: 'lsass'
  condition: selection1 and not selection2 or selection3
fields:
  - ComputerName
  - User
  - CommandLine
falsepositives:
  - Unlikely
level: high
tags:
  - attack.credential_access
  - attack.t1003.001