← Back to Explore
sigmahighHunting
LSASS Memory Access by Tool With Dump Keyword In Name
Detects LSASS process access requests from a source process with the "dump" keyword in its image name.
Detection Query
selection:
TargetImage|endswith: \lsass.exe
SourceImage|contains: dump
GrantedAccess|endswith:
- "10"
- "30"
- "50"
- "70"
- "90"
- B0
- D0
- F0
- "18"
- "38"
- "58"
- "78"
- "98"
- B8
- D8
- F8
- 1A
- 3A
- 5A
- 7A
- 9A
- BA
- DA
- FA
- "0x14C2"
- FF
condition: selection
Author
Florian Roth (Nextron Systems)
Created
2022-02-10
Data Sources
windowsProcess Access Events
Platforms
windows
References
Tags
attack.credential-accessattack.t1003.001attack.s0002
Raw Content
title: LSASS Memory Access by Tool With Dump Keyword In Name
id: 9bd012ee-0dff-44d7-84a0-aa698cfd87a3
status: test
description: Detects LSASS process access requests from a source process with the "dump" keyword in its image name.
references:
- https://twitter.com/_xpn_/status/1491557187168178176
- https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz
author: Florian Roth (Nextron Systems)
date: 2022-02-10
modified: 2023-11-29
tags:
- attack.credential-access
- attack.t1003.001
- attack.s0002
logsource:
category: process_access
product: windows
detection:
selection:
TargetImage|endswith: '\lsass.exe'
SourceImage|contains: 'dump'
GrantedAccess|endswith:
- '10'
- '30'
- '50'
- '70'
- '90'
- 'B0'
- 'D0'
- 'F0'
- '18'
- '38'
- '58'
- '78'
- '98'
- 'B8'
- 'D8'
- 'F8'
- '1A'
- '3A'
- '5A'
- '7A'
- '9A'
- 'BA'
- 'DA'
- 'FA'
- '0x14C2' # https://github.com/b4rtik/ATPMiniDump/blob/76304f93b390af3bb66e4f451ca16562a479bdc9/ATPMiniDump/ATPMiniDump.c
- 'FF'
condition: selection
falsepositives:
- Rare programs that contain the word dump in their name and access lsass
level: high