← Library
splApache-2.0from splunk/security_content

Creation of lsass Dump with Taskmgr

The following analytic detects the creation of an lsass.exe process dump using Windows Task Manager. It leverages Sysmon EventID 11 to identify file creation events where the target filename matches *lsass*.dmp. This activity is significant because creating an lsass dump can be a precursor to credential theft, as the dump file contains sensitive information such as user passwords. If confirmed malicious, an attacker could use the lsass dump to extract credentials and escalate privileges, potentially compromising the entire network.

Quality
67
FP risk
Forks
0
Views
0
Rule sourcedetections/endpoint/creation_of_lsass_dump_with_taskmgr.yml
`sysmon` EventID=11 process_name=taskmgr.exe TargetFilename=*lsass*.dmp
  | stats count min(_time) as firstTime max(_time) as lastTime
    BY action dest file_name
       file_path process_guid process_id
       user_id vendor_product process_name
       TargetFilename
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)`
  | `creation_of_lsass_dump_with_taskmgr_filter`