credential_access_lsass_memory_dumping.yml

name: LSASS memory dumping via legitimate or offensive tools
id: 335795af-246b-483e-8657-09a30c102e63
version: 1.2.1
description: |
  Detects an attempt to dump the LSAAS memory to the disk by employing legitimate
  tools such as procdump, Task Manager, Process Explorer or built-in Windows tools
  such as comsvcs.dll.
labels:
  tactic.id: TA0006
  tactic.name: Credential Access
  tactic.ref: https://attack.mitre.org/tactics/TA0006/
  technique.id: T1003
  technique.name: OS Credential Dumping
  technique.ref: https://attack.mitre.org/techniques/T1003/
  subtechnique.id: T1003.001
  subtechnique.name: LSASS Memory
  subtechnique.ref: https://attack.mitre.org/techniques/T1003/001/
references:
  - https://redcanary.com/threat-detection-report/techniques/lsass-memory/
  - https://www.deepinstinct.com/blog/lsass-memory-dumps-are-stealthier-than-ever-before

condition: >
  sequence
  maxspan 2m
  by ps.uuid
    |open_process and
     ps.access.mask.names in ('ALL_ACCESS', 'CREATE_PROCESS', 'VM_READ', 'DUP_HANDLE') and
     evt.arg[exe] imatches '?:\\Windows\\System32\\lsass.exe' and
     ps.exe not imatches
                (
                  '?:\\Windows\\System32\\svchost.exe',
                  '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe'
                )
    |
    |create_new_file and
     file.path not imatches
                  (
                    '?:\\$WinREAgent\\Scratch\\*',
                    '?:\\Windows\\WinSxS\\*',
                    '?:\\Windows\\CbsTemp\\*',
                    '?:\\Windows\\SoftwareDistribution\\*'
                  ) and
     (file.extension iin ('.dmp', '.mdmp', '.dump') or is_minidump(file.path))
    |

output: >
  Detected an attempt by `%1.ps.name` process to access and read
  the memory of the **Local Security And Authority Subsystem Service**
  and subsequently write the `%2.file.path` dump file to the disk device
severity: critical

min-engine-version: 3.0.0