Detect the hands on keyboard behavior of Windows Task Manager creating a process dump of lsass.exe. Upon this behavior occurring, a file write/modification will occur in the users profile under \AppData\Local\Temp. The dump file, lsass.dmp, cannot be renamed, however if the dump occurs more than once, it will be named lsass (2).dmp.
- Type: TTP
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Last Updated: 2020-02-03
- Author: Michael Haag, Splunk
- ID: b2fbe95a-9c62-4c12-8a29-24b97e84c0cd
|T1003.001||LSASS Memory||Credential Access|
`sysmon` EventID=11 process_name=taskmgr.exe TargetFilename=*lsass*.dmp | stats count min(_time) as firstTime max(_time) as lastTime by Computer, object_category, process_name, TargetFilename | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `creation_of_lsass_dump_with_taskmgr_filter`
Associated Analytic Story
How To Implement
This search requires Sysmon Logs and a Sysmon configuration, which includes EventCode 11 for detecting file create of lsass.dmp. This search uses an input macro named
sysmon. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.
Kill Chain Phase
- Actions on Objectives
Known False Positives
Administrators can create memory dumps for debugging purposes, but memory dumps of the LSASS process would be unusual.
|80.0||80||100||$process_name$ was identified on endpoint $Computer$ writing $TargetFilename$ to disk. This behavior is related to dumping credentials via Task Manager.|
source | version: 1