Name:Dump LSASS via procdump Rename id:21276daa-663d-11eb-ae93-0242ac130002 version:3 date:2024-10-17 author:Michael Haag, Splunk status:deprecated type:Hunting Description:Detect a renamed instance of procdump.exe dumping the lsass process. This query looks for both -mm and -ma usage. -mm will produce a mini dump file and -ma will write a dump file with all process memory. Both are highly suspect and should be reviewed. Modify the query as needed.
During triage, confirm this is procdump.exe executing. If it is the first time a Sysinternals utility has been ran, it is possible there will be a -accepteula on the command line. Review other endpoint data sources for cross process (injection) into lsass.exe. Data_source:
-Sysmon EventID 1
search:`sysmon` OriginalFileName=procdump process_name!=procdump*.exe EventID=1 (CommandLine=*-ma* OR CommandLine=*-mm*) CommandLine=*lsass* | stats count min(_time) as firstTime max(_time) as lastTime by dest, parent_process_name, process_name, OriginalFileName, CommandLine | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `dump_lsass_via_procdump_rename_filter`
how_to_implement:To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. known_false_positives:None identified. References: -https://attack.mitre.org/techniques/T1003/001/ -https://docs.microsoft.com/en-us/sysinternals/downloads/procdump -https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md#atomic-test-2---dump-lsassexe-memory-using-procdump drilldown_searches:
: tags: analytic_story: - 'Credential Dumping' - 'HAFNIUM Group' - 'CISA AA22-257A' asset_type:Endpoint confidence:100 impact:80 message:The following $process_name$ has been identified as renamed, spawning from $parent_process_name$ on $dest$, attempting to dump lsass.exe. mitre_attack_id: - 'T1003.001' observable: name:'dest' type:'Hostname' - role: - 'Victim' name:'parent_process_name' type:'Process' - role: - 'Attacker' name:'process_name' type:'Process' - role: - 'Attacker' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'OriginalFileName' - 'process_name' - 'EventID' - 'CommandLine' - 'dest' - 'parent_process_name' risk_score:80 security_domain:endpoint
