unlikely, because no one should dump an lsass process memory

t1003
t1003.001
t1036
windows
sigma

Techniques

t1003
t1003.001
t1036

Sample rules

Potential LSASS Process Dump Via Procdump

source: sigma
technicques:
- t1003
- t1003.001
- t1036

Description

Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we are also able to catch cases in which the attacker has renamed the procdump executable.

Detection logic

condition: all of selection*
selection_flags:
  CommandLine|contains|windash: ' -ma '
selection_process:
  CommandLine|contains: ' ls'