Creation of lsass Dump with Taskmgr

name: Creation of lsass Dump with Taskmgr
id: b2fbe95a-9c62-4c12-8a29-24b97e84c0cd
version: 12
date: '2026-03-10'
author: Michael Haag, Splunk
status: production
type: TTP
description: The following analytic detects the creation of an lsass.exe process dump using Windows Task Manager. It leverages Sysmon EventID 11 to identify file creation events where the target filename matches *lsass*.dmp. This activity is significant because creating an lsass dump can be a precursor to credential theft, as the dump file contains sensitive information such as user passwords. If confirmed malicious, an attacker could use the lsass dump to extract credentials and escalate privileges, potentially compromising the entire network.
data_source:
    - Sysmon EventID 11
search: |-
    `sysmon` EventID=11 process_name=taskmgr.exe TargetFilename=*lsass*.dmp
      | stats count min(_time) as firstTime max(_time) as lastTime
        BY action dest file_name
           file_path process_guid process_id
           user_id vendor_product process_name
           TargetFilename
      | `security_content_ctime(firstTime)`
      | `security_content_ctime(lastTime)`
      | `creation_of_lsass_dump_with_taskmgr_filter`
how_to_implement: This search requires Sysmon Logs and a Sysmon configuration, which includes EventCode 11 for detecting file create of lsass.dmp. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.
known_false_positives: Administrators can create memory dumps for debugging purposes, but memory dumps of the LSASS process would be unusual.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md#atomic-test-5---dump-lsassexe-memory-using-windows-task-manager
    - https://attack.mitre.org/techniques/T1003/001/
    - https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf
drilldown_searches:
    - name: View the detection results for - "$dest$"
      search: '%original_detection_search% | search  dest = "$dest$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$dest$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: $process_name$ was identified on endpoint $dest$ writing $TargetFilename$ to disk. This behavior is related to dumping credentials via Task Manager.
    risk_objects:
        - field: dest
          type: system
          score: 50
    threat_objects: []
tags:
    analytic_story:
        - Credential Dumping
        - CISA AA22-257A
        - Cactus Ransomware
        - Seashell Blizzard
        - Scattered Lapsus$ Hunters
    asset_type: Windows
    mitre_attack_id:
        - T1003.001
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon.log
          source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
          sourcetype: XmlWinEventLog