Adversaries may use Taskmgr.exe to create a memory dump of the LSASS process to exfiltrate credentials. SOC teams should proactively hunt for this behavior in Azure Sentinel as it indicates potential credential theft and lateral movement attempts.
Detection Rule
title: LSASS Process Memory Dump Creation Via Taskmgr.EXE
id: 69ca12af-119d-44ed-b50f-a47af0ebc364
status: test
description: Detects the creation of an "lsass.dmp" file by the taskmgr process. This indicates a manual dumping of the LSASS.exe process memory using Windows Task Manager.
author: Swachchhanda Shrawan Poudel
date: 2023-10-19
references:
- https://github.com/redcanaryco/atomic-red-team/blob/987e3ca988ae3cff4b9f6e388c139c05bf44bbb8/atomics/T1003.001/T1003.001.md#L1
tags:
- attack.credential-access
- attack.t1003.001
logsource:
category: file_event
product: windows
detection:
selection:
Image|endswith:
- ':\Windows\system32\taskmgr.exe'
- ':\Windows\SysWOW64\taskmgr.exe'
TargetFilename|contains|all:
- '\AppData\Local\Temp\'
- '\lsass'
- '.DMP'
condition: selection
falsepositives:
- Rare case of troubleshooting by an administrator or support that has to be investigated regardless
level: high
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_taskmgr_lsass_dump/info.yml
imFileEvent
| where (TargetFilePath endswith ":\\Windows\\system32\\taskmgr.exe" or TargetFilePath endswith ":\\Windows\\SysWOW64\\taskmgr.exe") and (TargetFileName contains "\\AppData\\Local\\Temp\\" and TargetFileName contains "\\lsass" and TargetFileName contains ".DMP")Scenario: System Administrator Performing Memory Dump for Troubleshooting
Description: A system administrator uses Task Manager (taskmgr.exe) to create a memory dump of the LSASS process as part of a routine troubleshooting session.
Filter/Exclusion: Exclude processes initiated by user accounts with the Administrators group or specific admin tools like ProcDump or Windows Debugger (WinDbg).
Example Filter: process.parent_process_name == "taskmgr.exe" && user_account in ["Administrator", "SysAdmin"]
Scenario: Scheduled Job for Security Analysis
Description: A scheduled job runs a script that uses taskmgr.exe to capture a memory dump of LSASS for security analysis purposes.
Filter/Exclusion: Exclude events where the process is initiated by a service account or a scheduled task with a known security analysis tool.
Example Filter: process.parent_process_name == "taskmgr.exe" && parent_process_name == "schtasks.exe" && process_name == "ProcDump.exe"
Scenario: LSASS Memory Dump via PowerShell Script
Description: A legitimate PowerShell script uses taskmgr.exe indirectly to trigger a memory dump of LSASS as part of a security tooling workflow.
Filter/Exclusion: Exclude events where the process is initiated by a known security tool or script, such as Microsoft Security Baseline Analyzer (SBAS) or Microsoft Defender for Endpoint.
Example Filter: process.parent_process_name == "taskmgr.exe" && parent_process_name == "powershell.exe" && process_name == "ProcDump.exe" && user_account == "SecurityToolUser"
Scenario: User-Initiated Memory Dump for Performance Monitoring
Description: A user with elevated privileges (e.g., a developer or IT support) uses taskmgr.exe to create a