LSASS Memory Dumping via ProcDump.exe

Identifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials.

id:1e1ef6be-12fc-11e9-8d76-4d6bb837cda4
categories:detect
confidence:high
os:windows
created:01/07/2019
updated:01/07/2019

MITRE ATT&CK™ Mapping

tactics:Credential Access
techniques:T1003 Credential Dumping

Query

process where subtype.create and
  process_name == "procdump*.exe" and command_line == "*lsass*"

Contributors