Skip to content

Hide Navigation Hide TOC

Potential LSASS Process Dump Via Procdump (5afee48e-67dd-4e03-a783-f74259dcf998)

Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we are also able to catch cases in which the attacker has renamed the procdump executable.

Cluster A Galaxy A Cluster B Galaxy B Level
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern Potential LSASS Process Dump Via Procdump (5afee48e-67dd-4e03-a783-f74259dcf998) Sigma-Rules 1
Potential LSASS Process Dump Via Procdump (5afee48e-67dd-4e03-a783-f74259dcf998) Sigma-Rules Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 1
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 2