← Back to SOC feed Coverage →

Potential LSASS Process Dump Via Procdump

sigma HIGH SigmaHQ
T1036T1003.001
imProcessCreate
credential-theftlateral-movement
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-22T23:00:00Z · Confidence: high

Hunt Hypothesis

Detects potential credential harvesting attempts through LSASS memory dumps using ProcDump. This rule identifies suspicious command-line patterns that combine memory dump flags (-ma, -mm, -mp) with LS

Detection Rule

Sigma (Original)

title: Potential LSASS Process Dump Via Procdump
id: 5afee48e-67dd-4e03-a783-f74259dcf998
status: stable
description: |
    Detects potential credential harvesting attempts through LSASS memory dumps using ProcDump.
    This rule identifies suspicious command-line patterns that combine memory dump flags (-ma, -mm, -mp) with LSASS-related process markers.
    LSASS (Local Security Authority Subsystem Service) contains sensitive authentication data including plaintext passwords, NTLM hashes, and Kerberos tickets in memory.
    Attackers commonly dump LSASS memory to extract credentials for lateral movement and privilege escalation.
references:
    - https://learn.microsoft.com/en-us/sysinternals/downloads/procdump
    - https://research.splunk.com/endpoint/3742ebfe-64c2-11eb-ae93-0242ac130002
    - https://x.com/wietze/status/1958302556033065292?s=12
author: Florian Roth (Nextron Systems)
date: 2018-10-30
modified: 2025-10-19
tags:
    - attack.stealth
    - attack.t1036
    - attack.credential-access
    - attack.t1003.001
    - car.2013-05-009
logsource:
    category: process_creation
    product: windows
detection:
    selection_flags:
        CommandLine|contains|windash:
            - ' -ma '
            - ' -mm ' # Mini dump
            - ' -mp ' # Miniplus dump
    selection_process:
        CommandLine|contains:
            - ' ls' # Short for lsass
            - ' keyiso'
            - ' samss'
    condition: all of selection_*
falsepositives:
    - Unlikely, because no one should dump an lsass process memory
    - Another tool that uses command line flags similar to ProcDump
level: high

KQL (Azure Sentinel)

imProcessCreate
| where (TargetProcessCommandLine contains " -ma " or TargetProcessCommandLine contains " /ma " or TargetProcessCommandLine contains " –ma " or TargetProcessCommandLine contains " —ma " or TargetProcessCommandLine contains " ―ma " or TargetProcessCommandLine contains " -mm " or TargetProcessCommandLine contains " /mm " or TargetProcessCommandLine contains " –mm " or TargetProcessCommandLine contains " —mm " or TargetProcessCommandLine contains " ―mm " or TargetProcessCommandLine contains " -mp " or TargetProcessCommandLine contains " /mp " or TargetProcessCommandLine contains " –mp " or TargetProcessCommandLine contains " —mp " or TargetProcessCommandLine contains " ―mp ") and (TargetProcessCommandLine contains " ls" or TargetProcessCommandLine contains " keyiso" or TargetProcessCommandLine contains " samss")

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sysinternals_procdump_lsass.yml