LoFP LoFP / rare programs that contain the word dump in their name and access lsass

Techniques

Sample rules

LSASS Memory Access by Tool With Dump Keyword In Name

Description

Detects LSASS process access requests from a source process with the “dump” keyword in its image name.

Detection logic

condition: selection
selection:
  GrantedAccess|endswith:
  - '10'
  - '30'
  - '50'
  - '70'
  - '90'
  - B0
  - D0
  - F0
  - '18'
  - '38'
  - '58'
  - '78'
  - '98'
  - B8
  - D8
  - F8
  - 1A
  - 3A
  - 5A
  - 7A
  - 9A
  - BA
  - DA
  - FA
  - '0x14C2'
  - FF
  SourceImage|contains: dump
  TargetImage|endswith: \lsass.exe