LSASS Memory Dumping¶
Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials.
id: | 210b4ea4-12fc-11e9-8d76-4d6bb837cda4 |
---|---|
categories: | detect |
confidence: | high |
os: | windows |
created: | 01/07/2019 |
updated: | 01/07/2019 |
MITRE ATT&CK™ Mapping¶
tactics: | Credential Access |
---|---|
techniques: | T1003 Credential Dumping |
Query¶
file where file_name == "lsass*.dmp" and process_name != "werfault.exe"