LSASS Memory Dumping¶
Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials.
| id: | 210b4ea4-12fc-11e9-8d76-4d6bb837cda4 |
|---|---|
| categories: | detect |
| confidence: | high |
| os: | windows |
| created: | 01/07/2019 |
| updated: | 01/07/2019 |
MITRE ATT&CK™ Mapping¶
| tactics: | Credential Access |
|---|---|
| techniques: | T1003 Credential Dumping |
Query¶
file where file_name == "lsass*.dmp" and process_name != "werfault.exe"