title: CreateMiniDump Hacktool
author: Florian Roth
date: 2019/12/22
description: Detects the use of CreateMiniDump hack tool used to dump the LSASS process
  memory for credential extraction on the attacker's machine
detection:
  SELECTION_1:
    EventID: 11
  SELECTION_2:
    TargetFilename: '*\lsass.dmp'
  condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: db2110f3-479d-42a6-94fb-d35bc1e46492
level: high
logsource:
  category: file_event
  product: windows
modified: 2021/09/19
references:
- https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass
related:
- id: 36d88494-1d43-4dc0-b3fa-35c8fea0ca9d
  type: derived
status: deprecated
tags:
- attack.credential_access
- attack.t1003.001
- attack.t1003
ruletype: SIGMA