CAR-2019-07-002: Lsass Process Dump via Procdump
ProcDump is a sysinternal command-line utility whose primary purpose is monitoring an application for CPU spikes and generating crash dumps during a spike that an administrator or developer can use to determine the cause of the spike.
ProcDump may be used to dump the memory space of lsass.exe to disk for processing with a credential access tool such as Mimikatz. This is performed by launching procdump.exe as a privileged user with command line options indicating that lsass.exe should be dumped to a file with an arbitrary name.
Note - the CAR data model currently does not support process access actions, so the pseudocode implementation is based around process creates.
ATT&CK Detections
Technique | Subtechnique(s) | Tactic(s) | Level of Coverage |
---|---|---|---|
OS Credential Dumping | LSASS Memory | Credential Access | Low |
D3FEND Techniques
ID | Name |
---|---|
D3-PSA | Process Spawn Analysis |
Data Model References
Object | Action | Field |
---|---|---|
process | create | exe |
process | create | command_line |
Implementations
Procdump - Process Create (Pseudocode)
This base pseudocode looks for process create events where an instance of procdump is executed that references lsass in the command-line.
processes = search Process:Create
procdump_lsass = filter processes where (
exe = "procdump*.exe" and
command_line = "*lsass*")
output procdump_lsass
Procdump - Process Create (Splunk, Sysmon native)
A Splunk/Sysmon version of the above pseudocode.
index=__your_sysmon_index__ EventCode=1 Image="*\\procdump*.exe" CommandLine="*lsass*"
Procdump - Process Create (Eql)
An EQL Version of the above pseudocode.
Procdump - Process Access (Splunk, Sysmon native)
A related Splunk search, which instead of looking for process create events looks for process access events that target lsass.exe.
index=__your_sysmon_index__ EventCode=10 TargetImage="C:\\WINDOWS\\system32\\lsass.exe" GrantedAccess="0x1FFFFF" ("procdump")
Procdump - Process Access (Sigma)
A Sigma Version of the above Splunk search, with some more stringent criteria around calltrace.
Logpoint, LogPoint native
LogPoint version of the above pseudocode.
norm_id=WindowsSysmon event_id=1 image="*\procdump*.exe" command="*lsass*"
Unit Tests
Test Case 1
- Open a Windows Command Prompt or PowerShell instance.
- Navigate to folder containing ProcDump.
- Execute procdump.exe -ma lsass.exe lsass_dump