Memory_dump — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/memory_dump/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioTue, 02 Jan 2024 12:00:00 +0000LSASS Memory Dump Creation Detectionhttps://feed.craftedsignal.io/briefs/2024-01-lsass-dump-creation/Tue, 02 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-lsass-dump-creation/This rule identifies the creation of LSASS memory dump files, often indicative of credential access attempts using tools like Task Manager, SQLDumper, Dumpert, or AndrewSpecial, by monitoring for specific filenames and excluding legitimate dump locations.This detection rule identifies the creation of LSASS memory dump files on Windows systems, which is a common technique used by attackers to extract credentials. The rule focuses on specific filenames associated with LSASS dumps and tools used for creating these dumps, such as lsass*.dmp, dumpert.dmp, Andrew.dmp, SQLDmpr*.mdmp, and Coredump.dmp. The rule excludes known legitimate crash analysis paths and SQLDumper dump locations to reduce false positives. The rule aims to detect credential access attempts through trusted utilities such as Task Manager or SQLDumper, or known tooling such as Dumpert and AndrewSpecial. It is designed to work with data from Elastic Defend, Microsoft Defender XDR, SentinelOne Cloud Funnel, and Sysmon.

Attack Chain

  1. An attacker gains initial access to a Windows system (e.g., through phishing or exploiting a vulnerability).
  2. The attacker executes a tool or utility to create a memory dump of the LSASS process. This can be done using built-in tools like Task Manager or SQLDumper, or third-party tools like Dumpert or AndrewSpecial.
  3. The tool writes the LSASS memory dump to a file with a name matching a known pattern, such as lsass.dmp, dumpert.dmp, or SQLDmpr0001.mdmp.
  4. The file is created in a location that is not a known legitimate crash dump location (e.g., not in \Windows\System32\config\systemprofile\AppData\Local\CrashDumps\).
  5. The attacker may move, copy, or archive the dump file to avoid detection or to prepare it for exfiltration.
  6. The attacker uses another tool, such as Mimikatz, to parse the LSASS memory dump and extract credentials.
  7. The attacker uses the extracted credentials to move laterally to other systems or to access sensitive data.
  8. The final objective is often to gain domain administrator privileges or to exfiltrate sensitive data.

Impact

Successful exploitation and credential extraction can lead to complete domain compromise, unauthorized access to sensitive data, and significant financial or reputational damage. The impact is amplified if the compromised system is a domain controller, jump host, or privileged admin workstation. The rule is designed to detect the initial stage of credential access and prevent further damage.

Recommendation

  • Enable Sysmon FileCreate events (Event ID 11) to capture the creation of LSASS memory dump files.
  • Deploy the Sigma rule LSASS Memory Dump Creation to your SIEM to detect suspicious LSASS memory dump creation events and tune for your environment.
  • Investigate any alerts generated by the Sigma rule, focusing on the process executable, parent process, file path, and user context.
  • If a suspicious LSASS memory dump is found, isolate the affected host and begin credential hygiene for implicated accounts and systems.
  • Block known malicious tools like Dumpert and AndrewSpecial from running on your network.
  • Monitor for related credential-access, staging, privilege, or lateral-movement alerts for the same user or host.
]]>mediumadvisorycredential_accesslsassmemory_dumpwindows