detection.wiki

Detection rules › Sigma

LSASS Process Memory Dump Files

Severity
high
Author
Florian Roth (Nextron Systems)
Source
upstream

Detects creation of files with names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials.

MITRE ATT&CK coverage

TacticTechniques
Credential AccessT1003.001 OS Credential Dumping: LSASS Memory

Event coverage

ProviderEvent IDTitle
Sysmon11FileCreate

Stages and Predicates

Stage 1: 1 of selection_1

or:
TargetFilename|endswith: '\Andrew.dmp'
TargetFilename|endswith: '\Coredump.dmp'
TargetFilename|endswith: '\NotLSASS.zip'
TargetFilename|endswith: '\PPLBlade.dmp'
TargetFilename|endswith: '\lsass.dmp'
TargetFilename|endswith: '\lsass.rar'
TargetFilename|endswith: '\lsass.zip'
TargetFilename|endswith: '\rustive.dmp'

Stage 2: 1 of selection_2

or:
TargetFilename|contains: '\lsass_2'
TargetFilename|contains: '\lsassdmp'
TargetFilename|contains: '\lsassdump'

Stage 3: 1 of selection_3

TargetFilename|contains: .dmp
TargetFilename|contains: '\lsass'

Stage 4: 1 of selection_4

TargetFilename|endswith: .mdmp
TargetFilename|contains: SQLDmpr

Stage 5: 1 of selection_5

or:
TargetFilename|contains: '\nanodump'
TargetFilename|contains: '\proc_'
TargetFilename|endswith: .dmp

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
TargetFilenameends_with
  • .dmp corpus 3 (sigma 3)
  • .mdmp
  • \Andrew.dmp
  • \Coredump.dmp
  • \NotLSASS.zip
  • \PPLBlade.dmp
  • \lsass.dmp
  • \lsass.rar
  • \lsass.zip
  • \rustive.dmp
TargetFilenamematch
  • .dmp corpus 2 (sigma 2)
  • SQLDmpr
  • \lsass corpus 3 (sigma 3)
  • \lsass_2
  • \lsassdmp
  • \lsassdump
  • \nanodump
  • \proc_