LoFP / windows error reporting might produce similar behavior. in that case, check the pid associated with the \"-p\" parameter in the commandline.

Techniques

Sample rules

Potential Credential Dumping Via WER

source: sigma
technicques:
- t1003
- t1003.001

Description

Detects potential credential dumping via Windows Error Reporting LSASS Shtinkering technique which uses the Windows Error Reporting to dump lsass

Detection logic

condition: all of selection_* and not 1 of filter_*
filter_lsass:
  ParentImage: C:\Windows\System32\lsass.exe
selection_cli:
  CommandLine|contains|all:
  - ' -u -p '
  - ' -ip '
  - ' -s '
  ParentUser|contains:
  - AUTHORI
  - AUTORI
  User|contains:
  - AUTHORI
  - AUTORI
selection_img:
- Image|endswith: \Werfault.exe
- OriginalFileName: WerFault.exe