Florian Roth
45 lines
1.4 KiB
YAML
45 lines
1.4 KiB
YAML
title: LSASS Process Memory Dump Files
|
|
id: a5a2d357-1ab8-4675-a967-ef9990a59391
|
|
related:
|
|
- id: db2110f3-479d-42a6-94fb-d35bc1e46492
|
|
type: obsoletes
|
|
description: Detects file names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials
|
|
status: experimental
|
|
author: Florian Roth
|
|
references:
|
|
- https://www.google.com/search?q=procdump+lsass
|
|
- https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf
|
|
- https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_lsass_memdump_file_created.toml
|
|
date: 2021/11/15
|
|
modified: 2022/02/10
|
|
tags:
|
|
- attack.credential_access
|
|
- attack.t1003.001
|
|
logsource:
|
|
product: windows
|
|
category: file_event
|
|
detection:
|
|
selection1:
|
|
TargetFilename|endswith:
|
|
- '\lsass.dmp'
|
|
- '\lsass.zip'
|
|
- '\lsass.rar'
|
|
- '\Temp\dumpert.dmp'
|
|
- '\Andrew.dmp'
|
|
- '\Coredump.dmp'
|
|
selection2:
|
|
TargetFilename|contains:
|
|
- '\lsass_2' # default format of procdump v9.0 is lsass_YYMMDD_HHmmss.dmp
|
|
- '\lsassdump'
|
|
- '\lsassdmp'
|
|
selection3:
|
|
TargetFilename|contains|all:
|
|
- '\lsass'
|
|
- '.dmp'
|
|
selection4:
|
|
TargetFilename|contains: 'SQLDmpr'
|
|
TargetFilename|endswith: '.mdmp'
|
|
condition: 1 of selection*
|
|
falsepositives:
|
|
- Unknown
|
|
level: high |