LSASS Memory Dumping via ProcDump.exe¶
Identifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials.
| id: | 1e1ef6be-12fc-11e9-8d76-4d6bb837cda4 |
|---|---|
| categories: | detect |
| confidence: | high |
| os: | windows |
| created: | 01/07/2019 |
| updated: | 01/07/2019 |
MITRE ATT&CK™ Mapping¶
| tactics: | Credential Access |
|---|---|
| techniques: | T1003 Credential Dumping |
Query¶
process where subtype.create and
process_name == "procdump*.exe" and command_line == "*lsass*"