title: LSASS Process Memory Dump Files
author: Florian Roth
date: 2021/11/15
description: Detects file names used by different memory dumping tools to create a
  memory dump of the LSASS process memory, which contains user credentials
detection:
  SELECTION_1:
    EventID: 11
  SELECTION_2:
    TargetFilename:
    - '*\lsass.dmp'
    - '*\lsass.zip'
    - '*\lsass.rar'
  SELECTION_3:
    TargetFilename:
    - '*\lsass_2*'
    - '*\lsassdump*'
    - '*\lsassdmp*'
  condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
falsepositives:
- Unknown
id: a5a2d357-1ab8-4675-a967-ef9990a59391
level: high
logsource:
  category: file_event
  product: windows
references:
- https://www.google.com/search?q=procdump+lsass
related:
- id: db2110f3-479d-42a6-94fb-d35bc1e46492
  type: obsoletes
status: experimental
tags:
- attack.credential_access
- attack.t1003.001
- attack.t1003
ruletype: SIGMA