T1003.001 OSCredentialDumping LSASSMemory

T1003.001 - OS Credential Dumping LSASS Memory

DESCRIPTION

A technique by which the adversary may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password.

Example:

procdump -ma lsass.exe lsass_dump\ rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump 552 C:\Windows\Temp\vmware-vhost.dmp full

Related

Volt Typhoon activity

Reference:

https://www.microsoft.com/en-us/security/blog/2022/10/05/detecting-and-preventing-lsass-credential-dumping-attacks
https://www.cyber.gov.au/about-us/advisories/prc-state-sponsored-cyber-actor-living-off-the-land-to-evade-detection
https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Hunting%20Queries/SuspectedLSASSDump.yaml
https://docs.microsoft.com/sysinternals/downloads/procdump

ATT&CK TACTICS

T1003.001 - OS Credential Dumping: LSASS Memory
T1003.003 - OS Credential Dumping: NTDS

Data Source(s): Process, Command

SENTINEL RULE QUERY

let c1 = dynamic(["procdump", "lsass"]); 
let c2 = dynamic(["rundll32", "comsvcs", "MiniDump"]);
let c3 = dynamic(['MiniDump',' full']); 
let c4 = 'sekurlsa'; 
find where InitiatingProcessCommandLine has_all (c1) or ProcessCommandLine has_all (c1) or CommandLine has_all (c1) or
InitiatingProcessCommandLine has_all (c2) or ProcessCommandLine has_all (c2) or CommandLine has_all (c2) or
InitiatingProcessCommandLine has_all (c3) or ProcessCommandLine has_all (c3) or CommandLine has_all (c3) or 
InitiatingProcessCommandLine has c4 or ProcessCommandLine has c4 or CommandLine has c4  

Triage

1. Inspect which account and at what time the activity was performed
2. Question the user if the activity was expected and approved

FalsePositive

Legitimate administrative or pentesting activity

VERSION

Version 1.0 (date: 10/07/2023)