LoFP LoFP / t1003.001

t1003.001

TitleTags
actual failures in lsass.exe that trigger a crash dump (unlikely)
administrators can create memory dumps for debugging purposes, but memory dumps of the lsass process would be unusual.
another service that uses a single -s command line switch
another tool that uses command line flags similar to procdump
another tool that uses the command line switches of xordump
antivirus products
av signature updates
command lines that use the same flags
dump64.exe in other folders than the excluded one
false positives are expected in cases in which procdump just gets copied to a different directory without any renaming
false positives may be present if an application is dumping processes, filter as needed. recommend reviewing createdump.exe usage across the fleet to better understand all usage and by what.
false positives will occur based on grantedaccess 0x1010 and 0x1400, filter based on source image as needed or remove them. concern is cobalt strike usage of mimikatz will generate 0x1010 initially, but later be caught.
false positives will occur based on grantedaccess and sourceuser, filter based on source image as needed. utilize this hunting analytic to tune out false positives in ttp or anomaly analytics.
false positives will occur based on legitimate application requests, filter based on source image as needed.
files with mimikatz in their filename
google chrome googleupdate.exe
legitimate administrator using credential dumping tool for password recovery
legitimate administrator using tool for password recovery
legitimate application that needs to do a full dump of their process
legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable)
legitimate mssql server actions
legitimate software accessing lsass process for legitimate reason; update the whitelist with it
legitimate software such as av and edr
legitimate usage by software developers/testers
legitimate usage of adplus for debugging purposes
legitimate use of procdump by a developer or administrator
naughty administrators
other tools can access lsass for legitimate reasons and generate an event. in these cases, tweaking the search may help eliminate noise.
other tools can import the same dlls. these tools should be part of a whitelist. false positives may be present with any process that authenticates or uses credentials, powershell included. filter based on parent process.
other tools could load images into lsass for legitimate reason. but enterprise tools should always use signed dlls.
rare case of troubleshooting by an administrator or support that has to be investigated regardless
rare legitimate crashing of the lsass process
rare legitimate dump of the process by the operating system due to a crash of lsass
rare legitimate files with similar filename structure
rare programs that contain the word dump in their name and access lsass
some taskmgr.exe related activity
the activity may be legitimate. other tools can access lsass for legitimate reasons, and it's possible this event could be generated in those cases. in these cases, false positives should be fairly obvious and you may need to tweak the search to eliminate noise.
the activity may be legitimate. powershell is often used by administrators to perform various tasks, and it's possible this event could be generated in those cases. in these cases, false positives should be fairly obvious and you may need to tweak the search to eliminate noise.
transferring sensitive files for legitimate administration work by legitimate administrator
unknown cases in which werfault accesses lsass.exe
unlikely
unlikely, because no one should dump an lsass process memory
valid user connecting using rdp
very unlikely
windows error reporting might produce similar behavior. in that case, check the pid associated with the \"-p\" parameter in the commandline.