Detection rules › Kusto Query Language
Dumping LSASS Process Into a File
'Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or system and used to conduct lateral movement using alternate authentication materials. As well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system. Ref: https://attack.mitre.org/techniques/T1003/001/'
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Credential Access | T1003.001 OS Credential Dumping: LSASS Memory |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 10 | ProcessAccess |
Stages and Predicates
Stage 1: source
Event
Stage 2: where
and
EventID eq "10"
EventLog eq "Microsoft-Windows-Sysmon/Operational"
Stage 3: parse
Stage 4: where
and
CallTrace match ["dbghelp.dll", "dbgcore.dll"]
GrantedAccess eq "0x1FFFFF"
TargetImage eq "C:\\\\Windows\\\\System32\\\\lsass.exe"
Stage 5: parse
Stage 6: summarize
Stage 7: extend
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
CallTrace | match |
|
EventID | eq |
|
EventLog | eq |
|
GrantedAccess | eq |
|
TargetImage | eq |
|