LSASS Process Memory Dump Files

Hunt Hypothesis

Adversaries may dump LSASS process memory to exfiltrate user credentials, leveraging known file names used by memory dumping tools. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential credential theft and mitigate lateral movement risks.

Detection Rule

Sigma (Original)

title: LSASS Process Memory Dump Files
id: a5a2d357-1ab8-4675-a967-ef9990a59391
related:
    - id: db2110f3-479d-42a6-94fb-d35bc1e46492
      type: obsolete
    - id: 5e3d3601-0662-4af0-b1d2-36a05e90c40a
      type: obsolete
status: test
description: Detects creation of files with names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials.
references:
    - https://www.google.com/search?q=procdump+lsass
    - https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf
    - https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml
    - https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/
    - https://github.com/helpsystems/nanodump
    - https://github.com/CCob/MirrorDump
    - https://github.com/safedv/RustiveDump/blob/1a9b026b477587becfb62df9677cede619d42030/src/main.rs#L35
    - https://github.com/ricardojoserf/NativeDump/blob/01d8cd17f31f51f5955a38e85cd3c83a17596175/NativeDump/Program.cs#L258
author: Florian Roth (Nextron Systems)
date: 2021-11-15
modified: 2024-10-08
tags:
    - attack.credential-access
    - attack.t1003.001
logsource:
    product: windows
    category: file_event
detection:
    selection_1:
        TargetFilename|endswith:
            - '\Andrew.dmp'
            - '\Coredump.dmp'
            - '\lsass.dmp'
            - '\lsass.rar'
            - '\lsass.zip'
            - '\NotLSASS.zip'  # https://github.com/CCob/MirrorDump
            - '\PPLBlade.dmp'  # https://github.com/tastypepperoni/PPLBlade
            - '\rustive.dmp' # https://github.com/safedv/RustiveDump/blob/main/src/main.rs#L35
    selection_2:
        TargetFilename|contains:
            - '\lsass_2'  # default format of procdump v9.0 is lsass_YYMMDD_HHmmss.dmp
            - '\lsassdmp'
            - '\lsassdump'
    selection_3:
        TargetFilename|contains|all:
            - '\lsass'
            - '.dmp'
    selection_4:
        TargetFilename|contains: 'SQLDmpr'
        TargetFilename|endswith: '.mdmp'
    selection_5:
        TargetFilename|contains:
            - '\nanodump'
            - '\proc_' # NativeDump pattern https://github.com/ricardojoserf/NativeDump/blob/01d8cd17f31f51f5955a38e85cd3c83a17596175/NativeDump/Program.cs#L258
        TargetFilename|endswith: '.dmp'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: high

KQL (Azure Sentinel)

imFileEvent
| where (TargetFileName endswith "\\Andrew.dmp" or TargetFileName endswith "\\Coredump.dmp" or TargetFileName endswith "\\lsass.dmp" or TargetFileName endswith "\\lsass.rar" or TargetFileName endswith "\\lsass.zip" or TargetFileName endswith "\\NotLSASS.zip" or TargetFileName endswith "\\PPLBlade.dmp" or TargetFileName endswith "\\rustive.dmp") or (TargetFileName contains "\\lsass_2" or TargetFileName contains "\\lsassdmp" or TargetFileName contains "\\lsassdump") or (TargetFileName contains "\\lsass" and TargetFileName contains ".dmp") or (TargetFileName contains "SQLDmpr" and TargetFileName endswith ".mdmp") or ((TargetFileName contains "\\nanodump" or TargetFileName contains "\\proc_") and TargetFileName endswith ".dmp")

False Positive Guidance

• Scenario: Scheduled LSASS Memory Dump for Security Auditing
  Description: A security team regularly performs memory dumps of the LSASS process as part of a routine security audit to check for credential theft or malware persistence.
  Filter/Exclusion: Exclude files created by the mimikatz tool in a known audit environment, e.g., C:\SecurityAudits\LSASS_Dump_20240515.dmp or files with timestamps matching scheduled audit windows.

• Scenario: LSASS Dump via Sysinternals Tools for Incident Response
  Description: A red team or incident response team uses tools like procdump or mimikatz to capture LSASS memory dumps during a live investigation.
  Filter/Exclusion: Exclude files created by procdump in directories like C:\Temp\LSASS_Dumps\ or with file names matching LSASS.dmp generated by known incident response tools.

• Scenario: Automated Credential Harvesting for Password Reset Tasks
  Description: An admin task or script is configured to dump LSASS memory to retrieve credentials for password reset or account management purposes.
  Filter/Exclusion: Exclude files generated by scripts or tools used in password reset workflows, such as C:\Scripts\PasswordReset\LSASS_Dump_20240515.dmp or files with associated admin task IDs.

• Scenario: LSASS Dump for Forensic Analysis in a Legal Case
  Description: A legal or forensic team creates LSASS memory dumps as part of an investigation or compliance requirement.
  Filter/Exclusion: Exclude files created in a known forensic analysis directory, such as C:\Forensics\LSASS_Dumps\, or those with timestamps matching the start of the legal investigation.

• **Scenario: LSASS Dump via

MITRE ATT&CK Context

• Tactic: Credential Access
• Technique: T1003.001