Adversaries may use WerFault to exfiltrate LSASS memory dumps containing user credentials by creating suspicious dump files. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect potential credential theft and lateral movement attempts.
Detection Rule
title: WerFault LSASS Process Memory Dump
id: c3e76af5-4ce0-4a14-9c9a-25ceb8fda182
status: test
description: Detects WerFault creating a dump file with a name that indicates that the dump file could be an LSASS process memory, which contains user credentials
references:
- https://github.com/helpsystems/nanodump
author: Florian Roth (Nextron Systems)
date: 2022-06-27
tags:
- attack.credential-access
- attack.t1003.001
logsource:
product: windows
category: file_event
detection:
selection:
Image: C:\WINDOWS\system32\WerFault.exe
TargetFilename|contains:
- '\lsass'
- 'lsass.exe'
condition: selection
falsepositives:
- Unknown
level: high
imFileEvent
| where TargetFilePath =~ "C:\\WINDOWS\\system32\\WerFault.exe" and (TargetFileName contains "\\lsass" or TargetFileName contains "lsass.exe")Scenario: Scheduled LSASS Memory Dump for Security Auditing
Description: A security team uses the procdump tool (from Sysinternals) to create a memory dump of the LSASS process as part of a routine security audit.
Filter/Exclusion: Check for the presence of procdump.exe in the command line or filter by the user account (e.g., securityteam or auditadmin).
Scenario: Windows Error Reporting (WER) Generating a Dump File
Description: The Windows Error Reporting (WER) service automatically generates a memory dump of the LSASS process due to a system crash or application failure.
Filter/Exclusion: Filter by the process name werfault.exe or check the dump file path (e.g., C:\Windows\Minidump\) to distinguish from malicious activity.
Scenario: Admin Task to Analyze LSASS Memory for Forensic Purposes
Description: An administrator uses ProcDump or DebugDiag to create a memory dump of LSASS for forensic analysis or incident response.
Filter/Exclusion: Filter by the user account (e.g., admin or incidentresponse) or check the command line arguments for forensic tools.
Scenario: Group Policy or Scripted Task to Monitor LSASS
Description: A group policy or scheduled task runs a script that uses ProcDump or Process Explorer to monitor or dump LSASS memory as part of a security baseline.
Filter/Exclusion: Filter by the task name (e.g., LSASS_Monitoring_Task) or the user account (e.g., domainadmin or gpoadmin).
Scenario: Antivirus or EDR Tool Performing Memory Analysis
Description: An endpoint detection and response (EDR)