Techniques
Sample rules
Windows Credential Dumping LSASS Memory Createdump
- source: splunk
- technicques:
- T1003.001
Description
The following analytic identifies the use of CreateDump.exe being used to perform a process dump. This particular binary is not native to Windows, but is found to be brought in my many different third party applications including PowerShell 7.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=createdump.exe OR Processes.original_file_name="FX_VER_INTERNALNAME_STR" Processes.process="*-u *" AND Processes.process="*-f *" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_credential_dumping_lsass_memory_createdump_filter`