sigmahighHunting

WerFault LSASS Process Memory Dump

Detects WerFault creating a dump file with a name that indicates that the dump file could be an LSASS process memory, which contains user credentials

MITRE ATT&CK

T1003.001

credential-access

Detection Query

selection:
  Image: C:\WINDOWS\system32\WerFault.exe
  TargetFilename|contains:
    - \lsass
    - lsass.exe
condition: selection

Author

Florian Roth (Nextron Systems)

Created

2022-06-27

Data Sources

windowsFile Events

Platforms

windows

References

https://github.com/helpsystems/nanodump

Tags

attack.credential-accessattack.t1003.001

Raw Content

title: WerFault LSASS Process Memory Dump
id: c3e76af5-4ce0-4a14-9c9a-25ceb8fda182
status: test
description: Detects WerFault creating a dump file with a name that indicates that the dump file could be an LSASS process memory, which contains user credentials
references:
    - https://github.com/helpsystems/nanodump
author: Florian Roth (Nextron Systems)
date: 2022-06-27
tags:
    - attack.credential-access
    - attack.t1003.001
logsource:
    product: windows
    category: file_event
detection:
    selection:
        Image: C:\WINDOWS\system32\WerFault.exe
        TargetFilename|contains:
            - '\lsass'
            - 'lsass.exe'
    condition: selection
falsepositives:
    - Unknown
level: high