EXPLORE
Sign In
← Back to Explore
sigmahighTTP

Potential LSASS Process Dump Via Procdump

Detects potential credential harvesting attempts through LSASS memory dumps using ProcDump. This rule identifies suspicious command-line patterns that combine memory dump flags (-ma, -mm, -mp) with LSASS-related process markers. LSASS (Local Security Authority Subsystem Service) contains sensitive authentication data including plaintext passwords, NTLM hashes, and Kerberos tickets in memory. Attackers commonly dump LSASS memory to extract credentials for lateral movement and privilege escalation.

MITRE ATT&CK

T1036T1003.001
defense-evasioncredential-access

Detection Query

selection_flags:
  CommandLine|contains|windash:
    - " -ma "
    - " -mm "
    - " -mp "
selection_process:
  CommandLine|contains:
    - " ls"
    - " keyiso"
    - " samss"
condition: all of selection_*

Author

Florian Roth (Nextron Systems)

Created

2018-10-30

Data Sources

windowsProcess Creation Events

Platforms

windows

References

Tags

attack.defense-evasionattack.t1036attack.credential-accessattack.t1003.001car.2013-05-009
Raw Content
title: Potential LSASS Process Dump Via Procdump
id: 5afee48e-67dd-4e03-a783-f74259dcf998
status: stable
description: |
    Detects potential credential harvesting attempts through LSASS memory dumps using ProcDump.
    This rule identifies suspicious command-line patterns that combine memory dump flags (-ma, -mm, -mp) with LSASS-related process markers.
    LSASS (Local Security Authority Subsystem Service) contains sensitive authentication data including plaintext passwords, NTLM hashes, and Kerberos tickets in memory.
    Attackers commonly dump LSASS memory to extract credentials for lateral movement and privilege escalation.
references:
    - https://learn.microsoft.com/en-us/sysinternals/downloads/procdump
    - https://research.splunk.com/endpoint/3742ebfe-64c2-11eb-ae93-0242ac130002
    - https://x.com/wietze/status/1958302556033065292?s=12
author: Florian Roth (Nextron Systems)
date: 2018-10-30
modified: 2025-10-19
tags:
    - attack.defense-evasion
    - attack.t1036
    - attack.credential-access
    - attack.t1003.001
    - car.2013-05-009
logsource:
    category: process_creation
    product: windows
detection:
    selection_flags:
        CommandLine|contains|windash:
            - ' -ma '
            - ' -mm ' # Mini dump
            - ' -mp ' # Miniplus dump
    selection_process:
        CommandLine|contains:
            - ' ls' # Short for lsass
            - ' keyiso'
            - ' samss'
    condition: all of selection_*
falsepositives:
    - Unlikely, because no one should dump an lsass process memory
    - Another tool that uses command line flags similar to ProcDump
level: high