rare case of troubleshooting by an administrator or support that has to be investigated regardless

t1003
t1003.001
windows
sigma

Techniques

t1003
t1003.001

Sample rules

LSASS Process Memory Dump Creation Via Taskmgr.EXE

source: sigma
technicques:
- t1003
- t1003.001

Description

Detects the creation of an “lsass.dmp” file by the taskmgr process. This indicates a manual dumping of the LSASS.exe process memory using Windows Task Manager.

Detection logic

condition: selection
selection:
  Image|endswith:
  - :\Windows\system32\taskmgr.exe
  - :\Windows\SysWOW64\taskmgr.exe
  TargetFilename|contains|all:
  - \AppData\Local\Temp\
  - \lsass
  - .DMP