LSASS Memory Dumping

Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials.

id:210b4ea4-12fc-11e9-8d76-4d6bb837cda4
categories:detect
confidence:high
os:windows
created:01/07/2019
updated:01/07/2019

MITRE ATT&CK™ Mapping

tactics:Credential Access
techniques:T1003 Credential Dumping

Query

file where file_name == "lsass*.dmp" and process_name != "werfault.exe"

Contributors