Detection: Windows OS Credential Dumping with Procdump
Description
Detect procdump.exe dumping the lsass process. This query looks for both -mm and -ma usage. -mm will produce a mini dump file and -ma will write a dump file with all process memory. Both are highly suspect and should be reviewed. This query does not monitor for the internal name (original_file_name=procdump) of the PE or look for procdump64.exe. Modify the query as needed. During triage, confirm this is procdump.exe executing. If it is the first time a Sysinternals utility has been ran, it is possible there will be a -accepteula on the command line. Review other endpoint data sources for cross process (injection) into lsass.exe.
Annotations
No annotations available.
Implementation
To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.
Known False Positives
None identified.
Associated Analytic Story
Risk Based Analytics (RBA)
| Risk Message | Risk Score | Impact | Confidence |
|---|---|---|---|
| Procdump was utilized to dump lsass on $dest_device_id$ by $dest_user_id$. | 80 | 80 | 100 |
References
-
https://docs.microsoft.com/en-us/sysinternals/downloads/procdump
-
https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/
Version: 5