Techniques
Sample rules
Access LSASS Memory for Dump Creation
- source: splunk
- technicques:
- T1003.001
- T1003
Description
The following analytic detects the dumping of the LSASS process memory, which occurs during credential dumping attacks.The detection is made by using Sysmon logs, specifically EventCode 10, which is related to lsass.exe. This helps to search for indicators of LSASS memory dumping such as specific call traces to dbgcore.dll and dbghelp.dll. This detection is important because it prevents credential dumping attacks and the theft of sensitive information such as login credentials, which can be used to gain unauthorized access to systems and data. False positives might occur due to legitimate administrative tasks. Next steps include reviewing and investigating each case, given the high risk associated with potential credential dumping attacks.
Detection logic
`sysmon` EventCode=10 TargetImage=*lsass.exe CallTrace=*dbgcore.dll* OR CallTrace=*dbghelp.dll*
| stats count min(_time) as firstTime max(_time) as lastTime by dest, TargetImage, TargetProcessId, SourceImage, SourceProcessId
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `access_lsass_memory_for_dump_creation_filter`
Creation of lsass Dump with Taskmgr
- source: splunk
- technicques:
- T1003.001
- T1003
Description
Detect the hands on keyboard behavior of Windows Task Manager creating a process dump of lsass.exe. Upon this behavior occurring, a file write/modification will occur in the users profile under \AppData\Local\Temp. The dump file, lsass.dmp, cannot be renamed, however if the dump occurs more than once, it will be named lsass (2).dmp.
Detection logic
`sysmon` EventID=11 process_name=taskmgr.exe TargetFilename=*lsass*.dmp
| stats count min(_time) as firstTime max(_time) as lastTime by dest, object_category, process_name, TargetFilename
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `creation_of_lsass_dump_with_taskmgr_filter`