frack113
37 lines
1.2 KiB
YAML
37 lines
1.2 KiB
YAML
title: LSASS Memory Dumping
|
|
id: ffa6861c-4461-4f59-8a41-578c39f3f23e
|
|
status: test
|
|
description: Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials. Identifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials.
|
|
author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community
|
|
references:
|
|
- https://eqllib.readthedocs.io/en/latest/analytics/1e1ef6be-12fc-11e9-8d76-4d6bb837cda4.html
|
|
- https://eqllib.readthedocs.io/en/latest/analytics/210b4ea4-12fc-11e9-8d76-4d6bb837cda4.html
|
|
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md
|
|
date: 2019/10/24
|
|
modified: 2021/11/27
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
detection:
|
|
selection1:
|
|
CommandLine|contains|all:
|
|
- 'lsass'
|
|
- '.dmp'
|
|
selection2:
|
|
Image|endswith: '\werfault.exe'
|
|
selection3:
|
|
Image|contains: '\procdump'
|
|
Image|endswith: '.exe'
|
|
CommandLine|contains: 'lsass'
|
|
condition: selection1 and not selection2 or selection3
|
|
fields:
|
|
- ComputerName
|
|
- User
|
|
- CommandLine
|
|
falsepositives:
|
|
- Unlikely
|
|
level: high
|
|
tags:
|
|
- attack.credential_access
|
|
- attack.t1003.001
|