EXPLORE
Sign In
← Back to Explore
sigmahighHunting

LSASS Access From Potentially White-Listed Processes

Detects a possible process memory dump that uses a white-listed filename like TrolleyExpress.exe as a way to dump the LSASS process memory without Microsoft Defender interference

MITRE ATT&CK

T1003.001S0002
credential-access

Detection Query

selection:
  TargetImage|endswith: \lsass.exe
  SourceImage|endswith:
    - \TrolleyExpress.exe
    - \ProcessDump.exe
    - \dump64.exe
  GrantedAccess|endswith:
    - "10"
    - "30"
    - "50"
    - "70"
    - "90"
    - B0
    - D0
    - F0
    - "18"
    - "38"
    - "58"
    - "78"
    - "98"
    - B8
    - D8
    - F8
    - 1A
    - 3A
    - 5A
    - 7A
    - 9A
    - BA
    - DA
    - FA
    - "0x14C2"
    - FF
condition: selection

Author

Florian Roth (Nextron Systems)

Created

2022-02-10

Data Sources

windowsProcess Access Events

Platforms

windows

References

Tags

attack.credential-accessattack.t1003.001attack.s0002
Raw Content
title: LSASS Access From Potentially White-Listed Processes
id: 4be8b654-0c01-4c9d-a10c-6b28467fc651
status: test
description: |
    Detects a possible process memory dump that uses a white-listed filename like TrolleyExpress.exe as a way to dump the LSASS process memory without Microsoft Defender interference
references:
    - https://twitter.com/_xpn_/status/1491557187168178176
    - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz
    - https://twitter.com/mrd0x/status/1460597833917251595
author: Florian Roth (Nextron Systems)
date: 2022-02-10
modified: 2023-11-29
tags:
    - attack.credential-access
    - attack.t1003.001
    - attack.s0002
logsource:
    category: process_access
    product: windows
detection:
    selection:
        TargetImage|endswith: '\lsass.exe'
        SourceImage|endswith:
            - '\TrolleyExpress.exe'  # Citrix
            - '\ProcessDump.exe'     # Cisco Jabber
            - '\dump64.exe'          # Visual Studio
        GrantedAccess|endswith:
            - '10'
            - '30'
            - '50'
            - '70'
            - '90'
            - 'B0'
            - 'D0'
            - 'F0'
            - '18'
            - '38'
            - '58'
            - '78'
            - '98'
            - 'B8'
            - 'D8'
            - 'F8'
            - '1A'
            - '3A'
            - '5A'
            - '7A'
            - '9A'
            - 'BA'
            - 'DA'
            - 'FA'
            - '0x14C2'  # https://github.com/b4rtik/ATPMiniDump/blob/76304f93b390af3bb66e4f451ca16562a479bdc9/ATPMiniDump/ATPMiniDump.c
            - 'FF'
    condition: selection
falsepositives:
    - Unknown
level: high