LoFP LoFP / unlikely, because no one should dump an lsass process memory

Techniques

Sample rules

Potential LSASS Process Dump Via Procdump

Description

Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we are also able to catch cases in which the attacker has renamed the procdump executable.

Detection logic

condition: all of selection*
selection_flags:
  CommandLine|contains|windash: ' -ma '
selection_process:
  CommandLine|contains: ' ls'