{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/minidump/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["PowerShell"],"_cs_severities":["high"],"_cs_tags":["credential-access","powershell","minidump","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis rule detects PowerShell scripts that contain references to MiniDumpWriteDump, MiniDumpWithFullMemory, or obfuscated versions of these strings (e.g., pmuDetirWpmuDiniM). Attackers can leverage these functions to create memory dumps of processes, including sensitive processes such as LSASS, which contains cached credentials. The dumping of LSASS memory allows attackers to extract credentials for lateral movement and privilege escalation within a compromised network. The rule is designed to detect scripts utilizing these techniques, providing an early warning sign of potential credential theft attempts. The rule leverages PowerShell script block logging (event ID 4104). The original rule was created in 2021 and updated in April 2026 according to the source.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through various means, such as phishing, exploiting a vulnerability, or using compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a PowerShell script on the target system. This script may be directly executed or injected into an existing PowerShell process.\u003c/li\u003e\n\u003cli\u003eThe PowerShell script contains code that references MiniDumpWriteDump or MiniDumpWithFullMemory, or an obfuscated variant, indicating an intention to create a memory dump.\u003c/li\u003e\n\u003cli\u003eThe script identifies a target process, often LSASS (lsass.exe), or iterates through running processes to select a target.\u003c/li\u003e\n\u003cli\u003eUsing the MiniDumpWriteDump function, the script creates a memory dump of the targeted process.\u003c/li\u003e\n\u003cli\u003eThe memory dump is saved to a file on the system, potentially in a location that is easily accessible to the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker may then compress or encrypt the dump file to avoid detection and prepare it for exfiltration.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the memory dump from the compromised system for offline analysis and credential extraction.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of this attack can lead to the compromise of sensitive credentials stored in memory, such as domain administrator accounts. This can enable attackers to move laterally within the network, escalate privileges, and gain access to critical systems and data. The impact could include data breaches, financial losses, and reputational damage. The number of victims can vary depending on the scope of the initial compromise and the effectiveness of the attacker\u0026rsquo;s lateral movement.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging (event ID 4104) to capture the necessary events for detection. Reference: \u003ca href=\"https://atc-project.org/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md\"\u003ehttps://atc-project.org/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;PowerShell MiniDump Script\u0026rdquo; to your SIEM and tune for your environment to detect suspicious PowerShell scripts.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the script content, target process, and output file. Use the investigation steps provided in the rule\u0026rsquo;s documentation.\u003c/li\u003e\n\u003cli\u003eMonitor for file creation events related to memory dumps (e.g., *.dmp files) and analyze these files for sensitive information.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls and privilege management to limit the potential impact of credential theft.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-powershell-minidump/","summary":"This brief detects PowerShell scripts that reference MiniDumpWriteDump or full-memory minidump types, potentially used to capture process memory from credential-bearing processes like LSASS.","title":"PowerShell MiniDump Script Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-powershell-minidump/"}],"language":"en","title":"CraftedSignal Threat Feed — Minidump","version":"https://jsonfeed.org/version/1.1"}