Detection rules › Elastic
Potential LSASS Memory Dump via PssCaptureSnapShot
Identifies suspicious access to an LSASS handle via PssCaptureSnapShot where two successive process accesses are performed by the same process and target two different instances of LSASS. This may indicate an attempt to evade detection and dump LSASS memory for credential access.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Credential Access | T1003 OS Credential Dumping, T1003.001 OS Credential Dumping: LSASS Memory |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 10 | ProcessAccess |
Stages and Predicates
Stage 1: threshold:kuery
event.category:"process" and winlog.event_data.TargetImage:("C:\\Windows\\system32\\lsass.exe" or "c:\\Windows\\System32\\lsass.exe" or "c:\\Windows\\system32\\lsass.exe")Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
event.category | eq |
|
winlog.event_data.TargetImage | in |
|