Adversaries may dump the LSASS process to exfiltrate credentials, indicating potential credential theft or persistence. SOC teams should proactively hunt for LSASS dump artifacts in the CrashDumps folder to identify and mitigate credential compromise attempts in their Azure Sentinel environment.
Detection Rule
title: LSASS Process Dump Artefact In CrashDumps Folder
id: 6902955a-01b7-432c-b32a-6f5f81d8f625
status: test
description: Detects the presence of an LSASS dump file in the "CrashDumps" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Error Reporting to dump said process.
references:
- https://github.com/deepinstinct/Lsass-Shtinkering
- https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf
author: '@pbssubhash'
date: 2022-12-08
tags:
- attack.credential-access
- attack.t1003.001
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|startswith: 'C:\Windows\System32\config\systemprofile\AppData\Local\CrashDumps\'
TargetFilename|contains: 'lsass.exe.'
TargetFilename|endswith: '.dmp'
condition: selection
falsepositives:
- Rare legitimate dump of the process by the operating system due to a crash of lsass
level: high
imFileEvent
| where TargetFileName startswith "C:\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\CrashDumps\\" and TargetFileName contains "lsass.exe." and TargetFileName endswith ".dmp"Scenario: Scheduled LSASS Dump for Forensic Analysis
Description: A security team or incident responder manually dumps the LSASS process using tools like Procdump or Process Explorer as part of a forensic investigation.
Filter/Exclusion: Exclude files created by known forensic tools (e.g., procdump.exe, Process Explorer) or filter by user (e.g., Security or Administrators group) and time of day (e.g., during scheduled forensic windows).
Scenario: Windows Update or System Maintenance Task
Description: A system maintenance task or Windows Update process may cause a temporary LSASS crash dump due to memory corruption or compatibility issues.
Filter/Exclusion: Exclude files created during known system update windows or by system services (e.g., svchost.exe, wuauclt.exe) using process name or parent process filtering.
Scenario: Administrative Task: Memory Dump for Debugging
Description: An administrator uses DebugDiag or Windows Debugger to generate a memory dump of LSASS for troubleshooting application or system crashes.
Filter/Exclusion: Exclude files generated by DebugDiag or WinDbg and filter by user (e.g., Administrator) or specific command-line arguments used during the dump.
Scenario: Antivirus or Endpoint Protection Scan
Description: Some endpoint security tools may trigger LSASS dumps as part of their memory scanning or integrity checks.
Filter/Exclusion: Exclude files created by known antivirus or EDR tools (e.g., Microsoft Defender, CrowdStrike, SentinelOne) using process name or parent process filtering.
Scenario: Automated Script or Job for Memory Analysis
Description: A scheduled PowerShell or batch script runs to analyze memory or perform