LoFP LoFP / t1003

t1003

TitleTags
actual failures in lsass.exe that trigger a crash dump (unlikely)
administrative activity
administrative work
another service that uses a single -s command line switch
another tool that uses command line flags similar to procdump
another tool that uses the command line switches of xordump
antivirus products
antivirus, anti-spyware, anti-malware software
av signature updates
backup software
command lines that use the same flags
copying sensitive files for legitimate use (eg. backup) or forensic investigation by legitimate incident responder or forensic investigator.
diagnostics
dumping hives for legitimate purpouse i.e. backup or forensic investigation
false positives are expected in cases in which procdump just gets copied to a different directory without any renaming
false positives are possible if the environment is using certificates for authentication.
false positives should be limited as the commands being identifies are quite specific to eventcode 4104 and mimikatz. filter as needed.
false positives should be limited as this is directly looking for mimikatz, the credential dumping utility.
false positives will be present based on many factors. tune the correlation as needed to reduce too many triggers.
files with mimikatz in their filename
google chrome googleupdate.exe
if a computer is a member of a domain, dpapi has a backup mechanism to allow unprotection of the data. which will trigger this event.
legitimate admin activity
legitimate admin usage
legitimate administrative activity related to shadow copies.
legitimate administrative tasks
legitimate administrator using credential dumping tool for password recovery
legitimate administrator using tool for password recovery
legitimate administrator working with shadow copies, access for backup purposes
legitimate application that needs to do a full dump of their process
legitimate backup operation by authorized administrators. matches must be investigated and allowed on a case by case basis.
legitimate backup operation/creating shadow copies
legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable)
legitimate mssql server actions
legitimate powershell scripts
legitimate software accessing lsass process for legitimate reason; update the whitelist with it
legitimate software installed by the users for example in the \"appdata\" directory may access these files (for any reason).
legitimate software installed on partitions other than \"c:\\"
legitimate software such as av and edr
legitimate usage by software developers/testers
legitimate usage for administration purposes
legitimate usage of adplus for debugging purposes
legitimate usage to restore snapshots
legitimate use of one of these tools
legitimate use of procdump by a developer or administrator
legitimate use of volume shadow copy mounts (backups maybe).
legitimate use of vssvc. maybe backup operations. it would usually be done by c:\windows\system32\vssvc.exe.
local domain admin account used for azure ad connect
mimikatz can be useful for testing the security of networks
monitoring activity
naughty administrators
ntds maintenance
other legitimate network providers used and not filtred in this rule
powershell scripts fixing hivenightmare / serioussam acls
powershell scripts that use this capability for troubleshooting.
rare case of troubleshooting by an administrator or support that has to be investigated regardless
rare cases of administrative activity
rare legitimate crashing of the lsass process
rare legitimate dump of the process by the operating system due to a crash of lsass
rare legitimate files with similar filename structure
rare programs that contain the word dump in their name and access lsass
scripts and administrative tools used in the monitored environment
searching software such as \"everything.exe\"
some administrator activity can be potentially triggered, please add those users to the filter macro.
some rare backup scenarios
some taskmgr.exe related activity
this module can be loaded by a third party application. filter is needed.
to be determined
transferring sensitive files for legitimate administration work by legitimate administrator
unknown cases in which werfault accesses lsass.exe
unlikely
unlikely, because no one should dump an lsass process memory
valid change
valid dc sync that is not covered by the filters; please report
valid user connecting using rdp
very unlikely
windows error reporting might produce similar behavior. in that case, check the pid associated with the \"-p\" parameter in the commandline.