Techniques
Sample rules
Creation of lsass Dump with Taskmgr
- source: splunk
- technicques:
- T1003.001
- T1003
Description
The following analytic detects the creation of an lsass.exe process dump using Windows Task Manager. It leverages Sysmon EventID 11 to identify file creation events where the target filename matches lsass.dmp. This activity is significant because creating an lsass dump can be a precursor to credential theft, as the dump file contains sensitive information such as user passwords. If confirmed malicious, an attacker could use the lsass dump to extract credentials and escalate privileges, potentially compromising the entire network.
Detection logic
`sysmon` EventID=11 process_name=taskmgr.exe TargetFilename=*lsass*.dmp
| stats count min(_time) as firstTime max(_time) as lastTime by dest, object_category, process_name, TargetFilename
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `creation_of_lsass_dump_with_taskmgr_filter`
Access LSASS Memory for Dump Creation
- source: splunk
- technicques:
- T1003.001
- T1003
Description
The following analytic detects attempts to dump the LSASS process memory, a common technique in credential dumping attacks. It leverages Sysmon logs, specifically EventCode 10, to identify suspicious call traces to dbgcore.dll and dbghelp.dll associated with lsass.exe. This activity is significant as it often precedes the theft of sensitive login credentials, posing a high risk of unauthorized access to systems and data. If confirmed malicious, attackers could gain access to critical credentials, enabling further compromise and lateral movement within the network.
Detection logic
`sysmon` EventCode=10 TargetImage=*lsass.exe CallTrace=*dbgcore.dll* OR CallTrace=*dbghelp.dll*
| stats count min(_time) as firstTime max(_time) as lastTime by dest, TargetImage, TargetProcessId, SourceImage, SourceProcessId
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `access_lsass_memory_for_dump_creation_filter`