Detect memory dumping of the LSASS process.
- Type: TTP
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Last Updated: 2019-12-06
- Author: Patrick Bareiss, Splunk
- ID: fb4c31b0-13e8-4155-8aa5-24de4b8d6717
|T1003.001||LSASS Memory||Credential Access|
`sysmon` EventCode=10 TargetImage=*lsass.exe CallTrace=*dbgcore.dll* OR CallTrace=*dbghelp.dll* | stats count min(_time) as firstTime max(_time) as lastTime by Computer, TargetImage, TargetProcessId, SourceImage, SourceProcessId | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `access_lsass_memory_for_dump_creation_filter`
Associated Analytic Story
How To Implement
This search requires Sysmon Logs and a Sysmon configuration, which includes EventCode 10 for lsass.exe. This search uses an input macro named
sysmon. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.
Kill Chain Phase
- Actions on Objectives
Known False Positives
Administrators can create memory dumps for debugging purposes, but memory dumps of the LSASS process would be unusual.
|63.0||70||90||process $SourceImage$ injected into $TargetImage$ and was attempted dump LSASS on $dest$. Adversaries tend to do this when trying to accesss credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).|
source | version: 2