Sigma Rule Browser

LSASS Memory Dump

level

status experimental

Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.

Known false-positives

False positives are present when looking for 0x1410. Exclusions may be required.

References

Raw rule (edit)

title: LSASS Memory Dump
id: 5ef9853e-4d0e-4a70-846f-a9ca37d876da
status: experimental
description: Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.
author: Samir Bousseaden, Michael Haag
date: 2019/04/03
modified: 2022/02/05
references:
    - https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html
    - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md
    - https://research.splunk.com/endpoint/windows_possible_credential_dumping/
tags:
    - attack.credential_access
    - attack.t1003.001
    - attack.s0002
logsource:
    category: process_access
    product: windows
detection:
    selection:
        TargetImage|endswith: '\lsass.exe'
        GrantedAccess|contains: 
            #- '0x1fffff' # Too many false positives
            #- '0x01000'  # Too many false positives
            #- '0x1010'   # Too many false positives
            - '0x1038'
            - '0x40'
            #- '0x1400'  # Too many false positives
            # - '0x1410' # Too many false positives 
            - '0x1438'
            - '0x143a'
        CallTrace|contains:
            - 'dbghelp.dll'
            - 'dbgcore.dll'
            - 'ntdll.dll'
    condition: selection
falsepositives:
    - False positives are present when looking for 0x1410. Exclusions may be required.
level: high