Adversaries may use the default lsass dump filename generated by SafetyKatz to exfiltrate credentials or maintain persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential credential theft or persistence mechanisms early.
Detection Rule
title: HackTool - SafetyKatz Dump Indicator
id: e074832a-eada-4fd7-94a1-10642b130e16
status: test
description: Detects default lsass dump filename generated by SafetyKatz.
references:
- https://github.com/GhostPack/SafetyKatz
- https://github.com/GhostPack/SafetyKatz/blob/715b311f76eb3a4c8d00a1bd29c6cd1899e450b7/SafetyKatz/Program.cs#L63
author: Markus Neis
date: 2018-07-24
modified: 2024-06-27
tags:
- attack.credential-access
- attack.t1003.001
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|endswith: '\Temp\debug.bin'
condition: selection
falsepositives:
- Rare legitimate files with similar filename structure
level: high
imFileEvent
| where TargetFileName endswith "\\Temp\\debug.bin"Scenario: Scheduled System Dump for Debugging Purposes
Description: A system administrator schedules a routine lsass dump using a tool like ProcDump or Windows Debugger (WinDbg) for troubleshooting.
Filter/Exclusion: Exclude processes initiated by schtasks.exe or check for known debugging tools in the process chain.
Scenario: Security Tool Performing Memory Analysis
Description: A legitimate security tool like Volatility or Mandiant Memory Analyzer is used to analyze memory dumps for incident response.
Filter/Exclusion: Exclude processes with parent processes related to known incident response tools or check for memory analysis tool signatures.
Scenario: Administrative Task Involving lsass Dump
Description: An admin task, such as Process Explorer or Sysinternals tools, is used to capture an lsass dump for forensic analysis.
Filter/Exclusion: Exclude processes with parent processes from the Sysinternals or Microsoft Sysinternals toolset.
Scenario: Automated Backup Job Including lsass Dump
Description: A scheduled backup job includes a script that captures an lsass dump as part of a system state backup.
Filter/Exclusion: Exclude processes initiated by a known backup service (e.g., Veeam, Commvault, or Windows Server Backup).
Scenario: User-Initiated Memory Analysis for Learning Purposes
Description: A user or developer uses Process Monitor or ProcDump to capture an lsass dump for educational or testing purposes.
Filter/Exclusion: Exclude processes with user accounts that are known for system analysis or development tasks, or check for presence of educational tools in the process tree.