LSASS Memory Dumping via ProcDump.exe¶
Identifies usage of Sysinternals procdump.exe
to export the memory space of lsass.exe which contains sensitive credentials.
id: | 1e1ef6be-12fc-11e9-8d76-4d6bb837cda4 |
---|---|
categories: | detect |
confidence: | high |
os: | windows |
created: | 01/07/2019 |
updated: | 01/07/2019 |
MITRE ATT&CK™ Mapping¶
tactics: | Credential Access |
---|---|
techniques: | T1003 Credential Dumping |
Query¶
process where subtype.create and
process_name == "procdump*.exe" and command_line == "*lsass*"