Skip to content

Hide Navigation Hide TOC

Potential LSASS Process Dump Via Procdump (5afee48e-67dd-4e03-a783-f74259dcf998)

Detects potential credential harvesting attempts through LSASS memory dumps using ProcDump. This rule identifies suspicious command-line patterns that combine memory dump flags (-ma, -mm, -mp) with LSASS-related process markers. LSASS (Local Security Authority Subsystem Service) contains sensitive authentication data including plaintext passwords, NTLM hashes, and Kerberos tickets in memory. Attackers commonly dump LSASS memory to extract credentials for lateral movement and privilege escalation.

Cluster A Galaxy A Cluster B Galaxy B Level
Potential LSASS Process Dump Via Procdump (5afee48e-67dd-4e03-a783-f74259dcf998) Sigma-Rules LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern 1
Potential LSASS Process Dump Via Procdump (5afee48e-67dd-4e03-a783-f74259dcf998) Sigma-Rules Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 1
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern 2