PowerShell MiniDump Script Detection

This rule detects PowerShell scripts that contain references to MiniDumpWriteDump, MiniDumpWithFullMemory, or obfuscated versions of these strings (e.g., pmuDetirWpmuDiniM). Attackers can leverage these functions to create memory dumps of processes, including sensitive processes such as LSASS, which contains cached credentials. The dumping of LSASS memory allows attackers to extract credentials for lateral movement and privilege escalation within a compromised network. The rule is designed to detect scripts utilizing these techniques, providing an early warning sign of potential credential theft attempts. The rule leverages PowerShell script block logging (event ID 4104). The original rule was created in 2021 and updated in April 2026 according to the source.

Attack Chain

1. An attacker gains initial access to a Windows system through various means, such as phishing, exploiting a vulnerability, or using compromised credentials.
2. The attacker executes a PowerShell script on the target system. This script may be directly executed or injected into an existing PowerShell process.
3. The PowerShell script contains code that references MiniDumpWriteDump or MiniDumpWithFullMemory, or an obfuscated variant, indicating an intention to create a memory dump.
4. The script identifies a target process, often LSASS (lsass.exe), or iterates through running processes to select a target.
5. Using the MiniDumpWriteDump function, the script creates a memory dump of the targeted process.
6. The memory dump is saved to a file on the system, potentially in a location that is easily accessible to the attacker.
7. The attacker may then compress or encrypt the dump file to avoid detection and prepare it for exfiltration.
8. The attacker exfiltrates the memory dump from the compromised system for offline analysis and credential extraction.

Impact

Successful execution of this attack can lead to the compromise of sensitive credentials stored in memory, such as domain administrator accounts. This can enable attackers to move laterally within the network, escalate privileges, and gain access to critical systems and data. The impact could include data breaches, financial losses, and reputational damage. The number of victims can vary depending on the scope of the initial compromise and the effectiveness of the attacker’s lateral movement.

Recommendation

• Enable PowerShell Script Block Logging (event ID 4104) to capture the necessary events for detection. Reference: https://atc-project.org/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md
• Deploy the Sigma rule “PowerShell MiniDump Script” to your SIEM and tune for your environment to detect suspicious PowerShell scripts.
• Investigate any alerts generated by the Sigma rule, focusing on the script content, target process, and output file. Use the investigation steps provided in the rule’s documentation.
• Monitor for file creation events related to memory dumps (e.g., *.dmp files) and analyze these files for sensitive information.
• Implement strict access controls and privilege management to limit the potential impact of credential theft.