rare legitimate dump of the process by the operating system due to a crash of lsass

t1003
t1003.001
windows
sigma

Techniques

t1003
t1003.001

Sample rules

LSASS Process Dump Artefact In CrashDumps Folder

source: sigma
technicques:
- t1003
- t1003.001

Description

Detects the presence of an LSASS dump file in the “CrashDumps” folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Error Reporting to dump said process.

Detection logic

condition: selection
selection:
  TargetFilename|contains: lsass.exe.
  TargetFilename|endswith: .dmp
  TargetFilename|startswith: C:\Windows\System32\config\systemprofile\AppData\Local\CrashDumps\