unlikely, because no one should dump an lsass process memory

t1003
t1003.001
t1036
windows
sigma

Techniques

t1003
t1003.001
t1036

Sample rules

Potential LSASS Process Dump Via Procdump

source: sigma
technicques:
- t1003
- t1003.001
- t1036

Description

Detects potential credential harvesting attempts through LSASS memory dumps using ProcDump. This rule identifies suspicious command-line patterns that combine memory dump flags (-ma, -mm, -mp) with LSASS-related process markers. LSASS (Local Security Authority Subsystem Service) contains sensitive authentication data including plaintext passwords, NTLM hashes, and Kerberos tickets in memory. Attackers commonly dump LSASS memory to extract credentials for lateral movement and privilege escalation.

Detection logic

condition: all of selection_*
selection_flags:
  CommandLine|contains|windash:
  - ' -ma '
  - ' -mm '
  - ' -mp '
selection_process:
  CommandLine|contains:
  - ' ls'
  - ' keyiso'
  - ' samss'