LoFP LoFP / t1003

t1003

TitleTags
actual failures in lsass.exe that trigger a crash dump (unlikely)
administrative activity
administrative work
administrator or network operator can execute this command. please update the filter macros to remove false positives.
administrators can create memory dumps for debugging purposes, but memory dumps of the lsass process would be unusual.
another service that uses a single -s command line switch
another tool that uses command line flags similar to procdump
another tool that uses the command line switches of xordump
antivirus products
antivirus, anti-spyware, anti-malware software
av signature updates
azure ad connect syncing operations.
backup software
command lines that use the same flags
copying sensitive files for legitimate use (eg. backup) or forensic investigation by legitimate incident responder or forensic investigator.
diagnostics
dumping hives for legitimate purpouse i.e. backup or forensic investigation
false positives are expected in cases in which procdump just gets copied to a different directory without any renaming
false positives are possible if the environment is using certificates for authentication.
false positives should be limited as the commands being identifies are quite specific to eventcode 4104 and mimikatz. filter as needed.
false positives should be limited as this is directly looking for mimikatz, the credential dumping utility.
false positives should be limited, but if any are present, filter as needed.
false positives should be limited, but if any are present, filter as needed. in some instances, `cscript.exe` is used for legitimate business practices.
false positives should be limited. filter as needed.
false positives will be present based on many factors. tune the correlation as needed to reduce too many triggers.
false positives will occur based on grantedaccess 0x1010 and 0x1400, filter based on source image as needed or remove them. concern is cobalt strike usage of mimikatz will generate 0x1010 initially, but later be caught.
false positives will occur based on grantedaccess and sourceuser, filter based on source image as needed. utilize this hunting analytic to tune out false positives in ttp or anomaly analytics.
false positives will occur based on legitimate application requests, filter based on source image as needed.
files with mimikatz in their filename
genuine dc promotion may trigger this alert.
google chrome googleupdate.exe
highly possible server administrators will troubleshoot with ntdsutil.exe, generating false positives.
if a computer is a member of a domain, dpapi has a backup mechanism to allow unprotection of the data. which will trigger this event.
it is possible some agent based products will generate false positives. filter as needed.
legitimate admin activity
legitimate admin usage
legitimate administrative activity related to shadow copies.
legitimate administrative tasks
legitimate administrator usage of vssadmin or wmic will create false positives.
legitimate administrator usage of wmic to create a shadow copy.
legitimate administrator using credential dumping tool for password recovery
legitimate administrator using tool for password recovery
legitimate administrator working with shadow copies, access for backup purposes
legitimate application that needs to do a full dump of their process
legitimate backup operation by authorized administrators. matches must be investigated and allowed on a case by case basis.
legitimate backup operation/creating shadow copies
legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable)
legitimate mssql server actions
legitimate powershell scripts
legitimate software accessing lsass process for legitimate reason; update the whitelist with it
legitimate software installed by the users for example in the \"appdata\" directory may access these files (for any reason).
legitimate software installed on partitions other than \"c:\\"
legitimate software such as av and edr
legitimate usage by software developers/testers
legitimate usage for administration purposes
legitimate usage of adplus for debugging purposes
legitimate usage to restore snapshots
legitimate use of one of these tools
legitimate use of procdump by a developer or administrator
legitimate use of volume shadow copy mounts (backups maybe).
legitimate use of vssvc. maybe backup operations. it would usually be done by c:\windows\system32\vssvc.exe.
limited false positives as the scope is limited to sam, system and security hives.
local domain admin account used for azure ad connect
mimikatz can be useful for testing the security of networks
monitoring activity
natively, `dllhost.exe` will access the files. every environment will have additional native processes that do as well. filter by process_name. as an aside, one can remove process_name entirely and add `object_name=*shadowcopy*`.
naughty administrators
new domain controllers or certian scripts run by administrators.
ntds maintenance
other legitimate network providers used and not filtred in this rule
other tools can access lsass for legitimate reasons and generate an event. in these cases, tweaking the search may help eliminate noise.
other tools can import the same dlls. these tools should be part of a whitelist. false positives may be present with any process that authenticates or uses credentials, powershell included. filter based on parent process.
powershell scripts fixing hivenightmare / serioussam acls
powershell scripts that use this capability for troubleshooting.
rare case of troubleshooting by an administrator or support that has to be investigated regardless
rare cases of administrative activity
rare legitimate crashing of the lsass process
rare legitimate dump of the process by the operating system due to a crash of lsass
rare legitimate files with similar filename structure
rare programs that contain the word dump in their name and access lsass
scripts and administrative tools used in the monitored environment
searching software such as \"everything.exe\"
some administrator activity can be potentially triggered, please add those users to the filter macro.
some rare backup scenarios
some taskmgr.exe related activity
the activity may be legitimate. other tools can access lsass for legitimate reasons, and it's possible this event could be generated in those cases. in these cases, false positives should be fairly obvious and you may need to tweak the search to eliminate noise.
the build engine is commonly used by windows developers but use by non-engineers is unusual.
this module can be loaded by a third party application. filter is needed.
to be determined
transferring sensitive files for legitimate administration work by legitimate administrator
unknown cases in which werfault accesses lsass.exe
unlikely
unlikely, because no one should dump an lsass process memory
valid change
valid dc sync that is not covered by the filters; please report
valid user connecting using rdp
very unlikely
windows error reporting might produce similar behavior. in that case, check the pid associated with the \"-p\" parameter in the commandline.