LoFP LoFP / unknown cases in which werfault accesses lsass.exe

Techniques

Sample rules

Credential Dumping Attempt Via WerFault

Description

Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.

Detection logic

condition: selection
selection:
  GrantedAccess: '0x1FFFFF'
  SourceImage|endswith: \WerFault.exe
  TargetImage|endswith: \lsass.exe