legitimate application that needs to do a full dump of their process

t1003
t1003.001
windows
sigma

Techniques

t1003
t1003.001

Sample rules

Lsass Full Dump Request Via DumpType Registry Settings

source: sigma
technicques:
- t1003
- t1003.001

Description

Detects the setting of the “DumpType” registry value to “2” which stands for a “Full Dump”. Technique such as LSASS Shtinkering requires this value to be “2” in order to dump LSASS.

Detection logic

condition: selection
selection:
  Details: DWORD (0x00000002)
  TargetObject|contains:
  - \SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\DumpType
  - \SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\lsass.exe\DumpType