bounded troubleshooting, ir, lab-validation, or red-team activity where the reconstructed target/output, launch context, and artifact/authentication evidence align.

t1003
t1059
windows
elastic

Techniques

T1003
T1059

Sample rules

PowerShell MiniDump Script

source: elastic
technicques:
- T1003
- T1059

Description

Detects PowerShell scripts referencing MiniDumpWriteDump or full-memory minidump types, which can capture process memory. Attackers use this technique to dump credential-bearing processes like LSASS for credential theft and lateral movement.

Detection logic

event.category:process and host.os.type:windows and
powershell.file.script_block_text:(MiniDumpWriteDump or MiniDumpWithFullMemory or pmuDetirWpmuDiniM)