add ProcDump-based LSASS memory dump detection#1139
add ProcDump-based LSASS memory dump detection#1139akshat4703 wants to merge 4 commits intomandiant:masterfrom
Conversation
|
do you have an associated sample that you used to test/develop this rule? |
Yes, Added meta.examples from the sample I used during development: 91a12a4cf437589ba70b1687f5acad19:0x43E1C9 |
|
@akshat4703 please open a pull request at https://github.com/mandiant/capa-testfiles for your test sample. |
This sample is already present in capa-testfiles: https://github.com/mandiant/capa-testfiles/blob/master/91a12a4cf437589ba70b1687f5acad19.exe_ (added in mandiant/capa-testfiles@ff64276), so no additional testfiles PR is required. |
nursery/dump-lsass-memory-via-openprocess-and-minidumpwritedump.yml
Outdated
Show resolved
Hide resolved
nursery/dump-lsass-memory-via-openprocess-and-minidumpwritedump.yml
Outdated
Show resolved
Hide resolved
nursery/dump-lsass-memory-via-openprocess-and-minidumpwritedump.yml
Outdated
Show resolved
Hide resolved
| att&ck: | ||
| - Credential Access::OS Credential Dumping::LSASS Memory [T1003.001] | ||
| references: | ||
| - https://attack.mitre.org/techniques/T1003/001/ |
There was a problem hiding this comment.
| - https://attack.mitre.org/techniques/T1003/001/ |
| - https://attack.mitre.org/techniques/T1003/001/ | ||
| - https://learn.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump | ||
| examples: | ||
| - 91a12a4cf437589ba70b1687f5acad19 |
There was a problem hiding this comment.
Please add the matched function.
| - optional: | ||
| - string: /\\?lsass(\.exe)?/i |
There was a problem hiding this comment.
Please explain how this can be optional without losing the rule's intent?
| att&ck: | ||
| - Credential Access::OS Credential Dumping::LSASS Memory [T1003.001] | ||
| references: | ||
| - https://attack.mitre.org/techniques/T1003/001/ |
There was a problem hiding this comment.
| - https://attack.mitre.org/techniques/T1003/001/ |
3 participants
Summary
Add a new nursery rule to detect LSASS memory dumping using ProcDump based on command execution patterns.
The rule identifies behavior where ProcDump is used to create a memory dump of the
lsassprocess, which is a common technique used by attackers to extract Windows credentials.What Changed
Added a new rule:
dump-lsass-memory-via-procdump.ymlThe rule matches when the following indicators appear together:
Process creation behavior
match: host-interaction/process/createProcDump execution indicator
procdumporprocdump64(with optional.exe)LSASS process target
lsassorlsass.exeDump-related arguments or output
-ma,-mm,-mp, or.dmpOptional command-line arguments supported:
-accepteulaRequiring multiple signals helps reduce false positives while capturing realistic attacker usage patterns.
Why
ProcDump is frequently abused as a LOLBin to dump memory from the LSASS (Local Security Authority Subsystem Service) process. Attackers can then extract credentials from the dump using tools such as Mimikatz.
This rule helps identify that behavior by matching common ProcDump command-line patterns targeting LSASS.
Example attacker command:
ATT&CK Mapping
Credential Access → OS Credential Dumping → LSASS Memory
MITRE ATT&CK: T1003.001
References
Validation
The rule was validated with the following checks:
Both checks passed successfully.