Sigma rules for Cloud Atlas
500 rules · scoped to actor · back to Cloud Atlas
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Potential Credential Dumping Attempt Via PowerShell Remote Thread
id: fb656378-f909-47c1-8747-278bf09f4f4f
related:
- id: 3f07b9d1-2082-4c56-9277-613a621983cc
type: obsolete
- id: 0f920ebe-7aea-4c54-b202-9aa0c609cfe5
type: similar
status: test
description: Detects remote thread creation by PowerShell processes into "lsass.exe"
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
author: oscd.community, Natalia Shornikova
date: 2020-10-06
modified: 2022-12-18
tags:
- attack.credential-access
- attack.t1003.001
logsource:
product: windows
category: create_remote_thread
detection:
selection:
SourceImage|endswith:
- '\powershell.exe'
- '\pwsh.exe'
TargetImage|endswith: '\lsass.exe'
condition: selection
falsepositives:
- Unknown
level: high
title: HackTool - CrackMapExec Process Patterns
id: f26307d8-14cd-47e3-a26b-4b4769f24af6
status: test
description: Detects suspicious process patterns found in logs when CrackMapExec is used
references:
- https://mpgn.gitbook.io/crackmapexec/smb-protocol/obtaining-credentials/dump-lsass
author: Florian Roth (Nextron Systems)
date: 2022-03-12
modified: 2023-02-13
tags:
- attack.credential-access
- attack.t1003.001
logsource:
product: windows
category: process_creation
detection:
selection_lsass_dump1:
CommandLine|contains|all:
- 'tasklist /fi '
- 'Imagename eq lsass.exe'
CommandLine|contains:
- 'cmd.exe /c '
- 'cmd.exe /r '
- 'cmd.exe /k '
- 'cmd /c '
- 'cmd /r '
- 'cmd /k '
User|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
selection_lsass_dump2:
CommandLine|contains|all:
- 'do rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump'
- '\Windows\Temp\'
- ' full'
- '%%B'
selection_procdump:
CommandLine|contains|all:
- 'tasklist /v /fo csv'
- 'findstr /i "lsass"'
condition: 1 of selection*
falsepositives:
- Unknown
level: high
title: Renamed CreateDump Utility Execution
id: 1a1ed54a-2ba4-4221-94d5-01dee560d71e
related:
- id: 515c8be5-e5df-4c5e-8f6d-a4a2f05e4b48
type: similar
status: test
description: Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory
references:
- https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/
- https://twitter.com/bopin2020/status/1366400799199272960
author: Florian Roth (Nextron Systems)
date: 2022-09-20
modified: 2023-02-14
tags:
- attack.stealth
- attack.t1036
- attack.t1003.001
- attack.credential-access
logsource:
category: process_creation
product: windows
detection:
selection_pe:
OriginalFileName: 'FX_VER_INTERNALNAME_STR'
selection_cli:
- CommandLine|contains|all:
- ' -u ' # Short version of '--full'
- ' -f ' # Short version of '--name'
- '.dmp'
- CommandLine|contains|all:
- ' --full ' # Short version of '--full'
- ' --name ' # Short version of '--name'
- '.dmp'
filter:
Image|endswith: '\createdump.exe'
condition: 1 of selection_* and not filter
falsepositives:
- Command lines that use the same flags
level: high
title: Potential Windows Defender AV Bypass Via Dump64.EXE Rename
id: 129966c9-de17-4334-a123-8b58172e664d
status: test
description: |
Detects when a user is potentially trying to bypass the Windows Defender AV by renaming a tool to dump64.exe and placing it in the Visual Studio folder.
Currently the rule is covering only usage of procdump but other utilities can be added in order to increase coverage.
references:
- https://twitter.com/mrd0x/status/1460597833917251595
author: Austin Songer @austinsonger, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2021-11-26
modified: 2024-06-21
tags:
- attack.credential-access
- attack.t1003.001
logsource:
product: windows
category: process_creation
detection:
selection_dump:
Image|startswith: ':\Program Files'
Image|contains: '\Microsoft Visual Studio\'
Image|endswith: '\dump64.exe'
selection_tools_procdump:
- OriginalFileName: 'procdump'
- CommandLine|contains:
- ' -ma ' # Full Dump
- ' -mp ' # Mini Plus
condition: selection_dump and 1 of selection_tools_*
falsepositives:
- Unknown
level: high
title: Time Travel Debugging Utility Usage
id: 0b4ae027-2a2d-4b93-8c7e-962caaba5b2a
related:
- id: e76c8240-d68f-4773-8880-5c6f63595aaf
type: derived
status: test
description: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Tttracer/
- https://twitter.com/mattifestation/status/1196390321783025666
- https://twitter.com/oulusoyum/status/1191329746069655553
author: 'Ensar Şamil, @sblmsrsn, @oscd_initiative'
date: 2020-10-06
modified: 2022-10-09
tags:
- attack.credential-access
- attack.stealth
- attack.t1218
- attack.t1003.001
logsource:
product: windows
category: process_creation
detection:
selection:
ParentImage|endswith: '\tttracer.exe'
condition: selection
falsepositives:
- Legitimate usage by software developers/testers
level: high
title: LSASS Dump Keyword In CommandLine
id: ffa6861c-4461-4f59-8a41-578c39f3f23e
related:
- id: a5a2d357-1ab8-4675-a967-ef9990a59391
type: derived
status: test
description: |
Detects the presence of the keywords "lsass" and ".dmp" in the commandline, which could indicate a potential attempt to dump or create a dump of the lsass process.
references:
- https://github.com/Hackndo/lsassy
- https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf
- https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml
- https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/
- https://github.com/helpsystems/nanodump
- https://github.com/CCob/MirrorDump
author: E.M. Anhaus, Tony Lambert, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2019-10-24
modified: 2023-08-29
tags:
- attack.credential-access
- attack.t1003.001
logsource:
category: process_creation
product: windows
detection:
selection:
- CommandLine|contains:
- 'lsass.dmp'
- 'lsass.zip'
- 'lsass.rar'
- 'Andrew.dmp'
- 'Coredump.dmp'
- 'NotLSASS.zip' # https://github.com/CCob/MirrorDump
- 'lsass_2' # default format of procdump v9.0 is lsass_YYMMDD_HHmmss.dmp
- 'lsassdump'
- 'lsassdmp'
- CommandLine|contains|all:
- 'lsass'
- '.dmp'
- CommandLine|contains|all:
- 'SQLDmpr'
- '.mdmp'
- CommandLine|contains|all:
- 'nanodump'
- '.dmp'
condition: selection
falsepositives:
- Unlikely
level: high
title: CreateDump Process Dump
id: 515c8be5-e5df-4c5e-8f6d-a4a2f05e4b48
related:
- id: 1a1ed54a-2ba4-4221-94d5-01dee560d71e
type: similar
status: test
description: Detects uses of the createdump.exe LOLOBIN utility to dump process memory
references:
- https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/
- https://twitter.com/bopin2020/status/1366400799199272960
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-01-04
modified: 2022-08-19
tags:
- attack.stealth
- attack.t1036
- attack.t1003.001
- attack.credential-access
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\createdump.exe'
- OriginalFileName: 'FX_VER_INTERNALNAME_STR'
selection_cli:
CommandLine|contains:
- ' -u ' # Short version of '--full'
- ' --full '
- ' -f ' # Short version of '--name'
- ' --name '
- '.dmp '
condition: all of selection_*
falsepositives:
- Command lines that use the same flags
level: high
title: Process Memory Dump Via Comsvcs.DLL
id: 646ea171-dded-4578-8a4d-65e9822892e3
related:
- id: 09e6d5c0-05b8-4ff8-9eeb-043046ec774c
type: obsolete
status: test
description: Detects a process memory dump via "comsvcs.dll" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.)
references:
- https://twitter.com/shantanukhande/status/1229348874298388484
- https://twitter.com/pythonresponder/status/1385064506049630211?s=21
- https://twitter.com/Hexacorn/status/1224848930795552769
- https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/
- https://twitter.com/SBousseaden/status/1167417096374050817
- https://twitter.com/Wietze/status/1542107456507203586
- https://github.com/Hackndo/lsassy/blob/14d8f8ae596ecf22b449bfe919829173b8a07635/lsassy/dumpmethod/comsvcs.py
- https://www.youtube.com/watch?v=52tAmVLg1KM&t=2070s
author: Florian Roth (Nextron Systems), Modexp, Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2020-02-18
modified: 2025-02-23
tags:
- attack.credential-access
- attack.stealth
- attack.t1036
- attack.t1003.001
- car.2013-05-009
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\rundll32.exe'
- OriginalFileName: 'RUNDLL32.EXE'
- CommandLine|contains: 'rundll32'
selection_cli_1:
CommandLine|contains|all:
- 'comsvcs'
- 'full'
CommandLine|contains:
- '#-'
- '#+'
- '#24'
- '24 '
- 'MiniDump' # Matches MiniDump and MinidumpW
- '#65560' # ordinal is 16 bit ordinal, so if you make the number large enough (don't fit in 16 bit space), then it normally wraps around. for e.g ordinal 24 can be also represented by 65560 (65536+24)
selection_generic:
CommandLine|contains|all:
- '24'
- 'comsvcs'
- 'full'
CommandLine|contains:
- ' #'
- ',#'
- ', #'
- '"#'
condition: (selection_img and 1 of selection_cli_*) or selection_generic
falsepositives:
- Unlikely
level: high
title: HackTool - XORDump Execution
id: 66e563f9-1cbd-4a22-a957-d8b7c0f44372
status: test
description: Detects suspicious use of XORDump process memory dumping utility
references:
- https://github.com/audibleblink/xordump
author: Florian Roth (Nextron Systems)
date: 2022-01-28
modified: 2023-02-08
tags:
- attack.stealth
- attack.t1036
- attack.t1003.001
- attack.credential-access
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\xordump.exe'
- CommandLine|contains:
- ' -process lsass.exe '
- ' -m comsvcs '
- ' -m dbghelp '
- ' -m dbgcore '
condition: selection
falsepositives:
- Another tool that uses the command line switches of XORdump
level: high
title: Suspicious DumpMinitool Execution
id: eb1c4225-1c23-4241-8dd4-051389fde4ce
status: test
description: Detects suspicious ways to use the "DumpMinitool.exe" binary
references:
- https://twitter.com/mrd0x/status/1511415432888131586
- https://twitter.com/mrd0x/status/1511489821247684615
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/DumpMinitool/
author: Florian Roth (Nextron Systems)
date: 2022-04-06
modified: 2023-04-12
tags:
- attack.credential-access
- attack.stealth
- attack.t1036
- attack.t1003.001
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith:
- '\DumpMinitool.exe'
- '\DumpMinitool.x86.exe'
- '\DumpMinitool.arm64.exe'
- OriginalFileName:
- 'DumpMinitool.exe'
- 'DumpMinitool.x86.exe'
- 'DumpMinitool.arm64.exe'
filter_folder:
Image|contains:
- '\Microsoft Visual Studio\'
- '\Extensions\' # https://github.com/microsoft/vstest/blob/b2e2126f1aa7e5753cafe9515563c99ade6a59ce/src/package/nuspec/Microsoft.TestPlatform.Portable.nuspec#L159
susp_flags:
CommandLine|contains: '.txt'
cmd_has_flags:
CommandLine|contains:
- ' Full'
- ' Mini'
- ' WithHeap'
filter_cmd_misses_flags:
CommandLine|contains: '--dumpType'
condition: selection and ( ( not filter_folder ) or susp_flags or ( cmd_has_flags and not filter_cmd_misses_flags ) )
falsepositives:
- Unknown
level: high
title: Potential SysInternals ProcDump Evasion
id: 79b06761-465f-4f88-9ef2-150e24d3d737
status: test
description: Detects uses of the SysInternals ProcDump utility in which ProcDump or its output get renamed, or a dump file is moved or copied to a different name
references:
- https://twitter.com/mrd0x/status/1480785527901204481
author: Florian Roth (Nextron Systems)
date: 2022-01-11
modified: 2023-05-09
tags:
- attack.stealth
- attack.t1036
- attack.t1003.001
- attack.credential-access
logsource:
category: process_creation
product: windows
detection:
selection_1:
CommandLine|contains:
- 'copy procdump'
- 'move procdump'
selection_2:
CommandLine|contains|all:
- 'copy '
- '.dmp '
CommandLine|contains:
- '2.dmp'
- 'lsass'
- 'out.dmp'
selection_3:
CommandLine|contains:
- 'copy lsass.exe_' # procdump default pattern e.g. lsass.exe_220111_085234.dmp
- 'move lsass.exe_' # procdump default pattern e.g. lsass.exe_220111_085234.dmp
condition: 1 of selection_*
falsepositives:
- False positives are expected in cases in which ProcDump just gets copied to a different directory without any renaming
level: high
title: Potential Credential Dumping Via WER
id: 9a4ccd1a-3526-4d99-b980-9f9c5d3a6ff3
status: test
description: Detects potential credential dumping via Windows Error Reporting LSASS Shtinkering technique which uses the Windows Error Reporting to dump lsass
references:
- https://github.com/deepinstinct/Lsass-Shtinkering
- https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf
author: '@pbssubhash , Nasreddine Bencherchali'
date: 2022-12-08
modified: 2022-12-09
tags:
- attack.credential-access
- attack.t1003.001
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\Werfault.exe'
- OriginalFileName: 'WerFault.exe'
selection_cli:
ParentUser|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
User|contains:
- 'AUTHORI'
- 'AUTORI'
CommandLine|contains|all:
# Doc: WerFault.exe -u -p <target process> -ip <source process> -s <file mapping handle>
# Example: C:\Windows\system32\Werfault.exe -u -p 744 -ip 1112 -s 244
# If the source process is not equal to the target process and the target process is LSASS then this is an indication of this technique
# Example: If the "-p" points the PID of "lsass.exe" and "-ip" points to a different process than "lsass.exe" then this is a sign of malicious activity
- ' -u -p '
- ' -ip '
- ' -s '
filter_lsass:
ParentImage: 'C:\Windows\System32\lsass.exe'
condition: all of selection_* and not 1 of filter_*
falsepositives:
- Windows Error Reporting might produce similar behavior. In that case, check the PID associated with the "-p" parameter in the CommandLine.
level: high
title: HackTool - Doppelanger LSASS Dumper Execution
id: d474c8fe-bb69-4ea0-b7d9-f682b56d52d3
status: experimental
description: Detects the execution of the Doppelanger hacktool which is used to dump LSASS memory via process cloning while evading common detection methods
references:
- https://labs.yarix.com/2025/06/doppelganger-an-advanced-lsass-dumper-with-process-cloning/
- https://github.com/vari-sh/RedTeamGrimoire/tree/668e0357072546065729ad623f8c02f7be21bb08/Doppelganger
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-07-01
tags:
- attack.credential-access
- attack.t1003.001
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\Doppelganger.exe'
- Hashes|contains:
- 'IMPHASH=AB94D5217896ADCD765A06B2D52F0AEB'
- 'IMPHASH=65F0EA61156EE0C2A35421926F0C7F78'
condition: selection
falsepositives:
- Unknown
level: high
title: HackTool - Mimikatz Execution
id: a642964e-bead-4bed-8910-1bb4d63e3b4d
status: test
description: Detection well-known mimikatz command line arguments
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
- https://tools.thehacker.recipes/mimikatz/modules
author: Teymur Kheirkhabarov, oscd.community, David ANDRE (additional keywords), Tim Shelton
date: 2019-10-22
modified: 2023-02-21
tags:
- attack.credential-access
- attack.t1003.001
- attack.t1003.002
- attack.t1003.004
- attack.t1003.005
- attack.t1003.006
logsource:
category: process_creation
product: windows
detection:
selection_tools_name:
CommandLine|contains:
- 'DumpCreds'
- 'mimikatz'
selection_function_names: # To cover functions from modules that are not in module_names
CommandLine|contains:
- '::aadcookie' # misc module
- '::detours' # misc module
- '::memssp' # misc module
- '::mflt' # misc module
- '::ncroutemon' # misc module
- '::ngcsign' # misc module
- '::printnightmare' # misc module
- '::skeleton' # misc module
- '::preshutdown' # service module
- '::mstsc' # ts module
- '::multirdp' # ts module
selection_module_names:
CommandLine|contains:
- 'rpc::'
- 'token::'
- 'crypto::'
- 'dpapi::'
- 'sekurlsa::'
- 'kerberos::'
- 'lsadump::'
- 'privilege::'
- 'process::'
- 'vault::'
condition: 1 of selection_*
falsepositives:
- Unlikely
level: high
title: Potential Adplus.EXE Abuse
id: 2f869d59-7f6a-4931-992c-cce556ff2d53
status: test
description: Detects execution of "AdPlus.exe", a binary that is part of the Windows SDK that can be used as a LOLBIN in order to dump process memory and execute arbitrary commands.
references:
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/
- https://twitter.com/nas_bench/status/1534916659676422152
- https://twitter.com/nas_bench/status/1534915321856917506
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-09
modified: 2023-06-23
tags:
- attack.execution
- attack.credential-access
- attack.t1003.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\adplus.exe'
- OriginalFileName: 'Adplus.exe'
selection_cli:
CommandLine|contains:
# Dump process memory
- ' -hang '
- ' -pn '
- ' -pmn '
- ' -p '
- ' -po '
# Using a config file
- ' -c '
# Execute commands inline
- ' -sc '
condition: all of selection_*
falsepositives:
- Legitimate usage of Adplus for debugging purposes
level: high
title: HackTool - WSASS Execution
id: 589ac73f-8e12-409c-964e-31a2f5775ae2
status: experimental
description: |
Detects execution of WSASS, a tool used to dump LSASS memory on Windows systems by leveraging WER's
(Windows Error Reporting) WerFaultSecure.EXE to bypass PPL (Protected Process Light) protections.
references:
- https://github.com/TwoSevenOneT/WSASS
- https://www.zerosalarium.com/2025/09/Dumping-LSASS-With-WER-On-Modern-Windows-11.html
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-23
modified: 2026-01-09
tags:
- attack.credential-access
- attack.t1003.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith: '\wsass.exe'
selection_hash:
Hashes|contains: 'IMPHASH=32F5095C9BBDCACF28FD4060EB4DFC42'
selection_cli:
# change to |re|i after Sigma v2.0 release
# plain string without quotation marks as it has to match for both ' and "
CommandLine|re: (?i)\.exe[\"\']?\s+[^\"]{0,64}werfaultsecure\.exe[\"\']?\s+\d{2,10} # wsass.exe "path to werfaultsecure" lsass_pid
condition: 1 of selection_*
falsepositives:
- Unlikely
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_hktl_wsass/info.yml
title: Potential LSASS Process Dump Via Procdump
id: 5afee48e-67dd-4e03-a783-f74259dcf998
status: stable
description: |
Detects potential credential harvesting attempts through LSASS memory dumps using ProcDump.
This rule identifies suspicious command-line patterns that combine memory dump flags (-ma, -mm, -mp) with LSASS-related process markers.
LSASS (Local Security Authority Subsystem Service) contains sensitive authentication data including plaintext passwords, NTLM hashes, and Kerberos tickets in memory.
Attackers commonly dump LSASS memory to extract credentials for lateral movement and privilege escalation.
references:
- https://learn.microsoft.com/en-us/sysinternals/downloads/procdump
- https://research.splunk.com/endpoint/3742ebfe-64c2-11eb-ae93-0242ac130002
- https://x.com/wietze/status/1958302556033065292?s=12
author: Florian Roth (Nextron Systems)
date: 2018-10-30
modified: 2025-10-19
tags:
- attack.stealth
- attack.t1036
- attack.credential-access
- attack.t1003.001
- car.2013-05-009
logsource:
category: process_creation
product: windows
detection:
selection_flags:
CommandLine|contains|windash:
- ' -ma '
- ' -mm ' # Mini dump
- ' -mp ' # Miniplus dump
selection_process:
CommandLine|contains:
- ' ls' # Short for lsass
- ' keyiso'
- ' samss'
condition: all of selection_*
falsepositives:
- Unlikely, because no one should dump an lsass process memory
- Another tool that uses command line flags similar to ProcDump
level: high
title: Process Memory Dump via RdrLeakDiag.EXE
id: edadb1e5-5919-4e4c-8462-a9e643b02c4b
related:
- id: 6355a919-2e97-4285-a673-74645566340d
type: obsolete
status: test
description: Detects the use of the Microsoft Windows Resource Leak Diagnostic tool "rdrleakdiag.exe" to dump process memory
references:
- https://www.pureid.io/dumping-abusing-windows-credentials-part-1/
- https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/
- https://lolbas-project.github.io/lolbas/Binaries/Rdrleakdiag/
- https://twitter.com/0gtweet/status/1299071304805560321?s=21
- https://news.sophos.com/en-us/2024/06/05/operation-crimson-palace-a-technical-deep-dive
author: Cedric MAURUGEON, Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)
date: 2021-09-24
modified: 2024-08-15
tags:
- attack.credential-access
- attack.t1003.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\rdrleakdiag.exe'
- OriginalFileName: RdrLeakDiag.exe
selection_cli_dump:
CommandLine|contains|windash:
- '/memdmp'
- 'fullmemdmp'
selection_cli_output_process:
CommandLine|contains|windash:
- ' /o ' # Output
- ' /p ' # Process
condition: all of selection_*
falsepositives:
- Unlikely
level: high
title: HackTool - HandleKatz LSASS Dumper Execution
id: ca621ba5-54ab-4035-9942-d378e6fcde3c
status: test
description: Detects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same
references:
- https://github.com/codewhitesec/HandleKatz
author: Florian Roth (Nextron Systems)
date: 2022-08-18
modified: 2024-11-23
tags:
- attack.credential-access
- attack.t1003.001
logsource:
category: process_creation
product: windows
detection:
selection_loader_img:
Image|endswith: '\loader.exe'
CommandLine|contains: '--pid:'
selection_loader_imphash:
Hashes|contains:
- 'IMPHASH=38D9E015591BBFD4929E0D0F47FA0055'
- 'IMPHASH=0E2216679CA6E1094D63322E3412D650'
selection_flags:
CommandLine|contains|all:
- '--pid:'
- '--outfile:'
CommandLine|contains:
- '.dmp'
- 'lsass'
- '.obf'
- 'dump'
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
title: PPL Tampering Via WerFaultSecure
id: 1f0b4cac-9c81-41f4-95d0-8475ff46b3e2
related:
- id: 387df17d-3b04-448f-8669-9e7fd5e5fd8c
type: similar
- id: 8a2f4b1c-3d5e-4f7a-9b2c-1e4f6d8a9c2b
type: similar
status: experimental
description: |
Detects potential abuse of WerFaultSecure.exe to dump Protected Process Light (PPL) processes like LSASS or to freeze security solutions (EDR/antivirus).
This technique is used by tools such as EDR-Freeze and WSASS to bypass PPL protections and access sensitive information or disable security software.
Distinct command line patterns help identify the specific tool:
- WSASS usage typically shows: "WSASS.exe WerFaultSecure.exe [PID]" in ParentCommandLine
- EDR-Freeze usage typically shows: "EDR-Freeze_[version].exe [PID] [timeout]" in ParentCommandLine
Legitimate debugging operations using WerFaultSecure are rare in production environments and should be investigated.
references:
- https://www.zerosalarium.com/2025/09/EDR-Freeze-Puts-EDRs-Antivirus-Into-Coma.html
- https://github.com/TwoSevenOneT/EDR-Freeze/blob/a7f61030b36fbde89871f393488f7075d2aa89f6/EDR-Freeze.cpp#L53
- https://www.zerosalarium.com/2025/09/Dumping-LSASS-With-WER-On-Modern-Windows-11.html
- https://github.com/TwoSevenOneT/WSASS/blob/2c8fd9fa32143e7bc9f066e9511c6f8a57bc64b5/WSASS.cpp#L251
author: Jason (https://github.com/0xbcf)
date: 2025-09-23
modified: 2025-11-23
tags:
- attack.defense-impairment
- attack.t1685
- attack.credential-access
- attack.t1003.001
logsource:
category: process_creation
product: windows
detection:
selection_image:
- Image|endswith: '\WerFaultSecure.exe'
- OriginalFileName: 'WerFaultSecure.exe'
selection_args:
CommandLine|contains|all:
- ' /h '
- ' /pid ' # Antimalware or EDR process pid will be after this flag
- ' /tid '
- ' /encfile '
- ' /cancel '
- ' /type '
- ' 268310'
condition: all of selection_*
falsepositives:
- Legitimate usage of WerFaultSecure for debugging purposes
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_werfaultsecure_abuse/info.yml
title: Process Access via TrolleyExpress Exclusion
id: 4c0aaedc-154c-4427-ada0-d80ef9c9deb6
status: test
description: Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory
references:
- https://twitter.com/_xpn_/status/1491557187168178176
- https://www.youtube.com/watch?v=Ie831jF0bb0
author: Florian Roth (Nextron Systems)
date: 2022-02-10
modified: 2022-05-13
tags:
- attack.stealth
- attack.t1218.011
- attack.credential-access
- attack.t1003.001
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
# We assume that the lsass.exe process has a process ID that's between 700 and 999 and the dumper uses just the PID as parameter
- '\TrolleyExpress 7'
- '\TrolleyExpress 8'
- '\TrolleyExpress 9'
- '\TrolleyExpress.exe 7'
- '\TrolleyExpress.exe 8'
- '\TrolleyExpress.exe 9'
# Common dumpers
- '\TrolleyExpress.exe -ma '
renamed:
Image|endswith: '\TrolleyExpress.exe'
filter_renamed:
OriginalFileName|contains: 'CtxInstall'
filter_empty:
OriginalFileName: null
condition: selection or ( renamed and not 1 of filter* )
falsepositives:
- Unknown
level: high
title: HackTool - CreateMiniDump Execution
id: 36d88494-1d43-4dc0-b3fa-35c8fea0ca9d
status: test
description: Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine
references:
- https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass
author: Florian Roth (Nextron Systems)
date: 2019-12-22
modified: 2024-11-23
tags:
- attack.credential-access
- attack.t1003.001
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\CreateMiniDump.exe'
- Hashes|contains: 'IMPHASH=4a07f944a83e8a7c2525efa35dd30e2f'
condition: selection
falsepositives:
- Unknown
level: high
title: Suspicious Process Access to LSASS with Dbgcore/Dbghelp DLLs
id: 9f5c1d59-33be-4e60-bcab-85d2f566effd
related:
- id: 416bc4a2-7217-4519-8dc7-c3271817f1d5
type: similar
status: experimental
description: |
Detects suspicious process access to LSASS.exe from processes located in uncommon locations with dbgcore.dll or dbghelp.dll in the call trace.
These DLLs contain functions like MiniDumpWriteDump that can be abused for credential dumping purposes. While modern tools like Mimikatz have moved to using ntdll.dll,
dbgcore.dll and dbghelp.dll are still used by basic credential dumping utilities and legacy tools for LSASS memory access and process suspension techniques.
references:
- https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html
- https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpwritedump
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-27
tags:
- attack.credential-access
- attack.defense-impairment
- attack.t1003.001
- attack.t1685
logsource:
category: process_access
product: windows
detection:
selection_lsass_calltrace:
TargetImage|endswith: '\lsass.exe'
CallTrace|contains:
- 'dbgcore.dll'
- 'dbghelp.dll'
# The following selection is commented out and not enabled by default because any access to LSASS with dbgcore.dll or dbghelp.dll in the call trace from uncommon locations is assumed to be suspicious,
# but it may reduce false positives if the rule is too noisy. These GrantedAccess bits are commonly used for dumping LSASS memory.
# Uncomment if you observe false positives with the default rule.
# selection_granted_access:
# GrantedAccess|contains:
# - '0x1fffff'
# - '0x10'
# - '0x1010'
# - '0x1410'
# - '0x1438'
selection_susp_location:
SourceImage|contains:
- ':\Perflogs\'
- ':\Temp\'
- ':\Users\Public\'
- '\$Recycle.Bin\'
- '\AppData\Roaming\'
- '\Contacts\'
- '\Desktop\'
- '\Documents\'
- '\Downloads\'
- '\Favorites\'
- '\Favourites\'
- '\inetpub\wwwroot\'
- '\Music\'
- '\Pictures\'
- '\Start Menu\Programs\Startup\'
- '\Users\Default\'
- '\Videos\'
- '\Windows\Temp\'
condition: all of selection_*
falsepositives:
- Possibly during software installation or update processes
level: high
regression_tests_path: regression_data/rules/windows/process_access/proc_access_win_susp_dbgcore_dbghelp_load/info.yml
title: Lsass Memory Dump via Comsvcs DLL
id: a49fa4d5-11db-418c-8473-1e014a8dd462
status: test
description: Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass.
references:
- https://twitter.com/shantanukhande/status/1229348874298388484
- https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-10-20
modified: 2023-11-29
tags:
- attack.credential-access
- attack.t1003.001
logsource:
category: process_access
product: windows
detection:
selection:
TargetImage|endswith: '\lsass.exe'
SourceImage|endswith: '\rundll32.exe'
CallTrace|contains: 'comsvcs.dll'
condition: selection
falsepositives:
- Unknown
level: high
title: LSASS Memory Access by Tool With Dump Keyword In Name
id: 9bd012ee-0dff-44d7-84a0-aa698cfd87a3
status: test
description: Detects LSASS process access requests from a source process with the "dump" keyword in its image name.
references:
- https://twitter.com/_xpn_/status/1491557187168178176
- https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz
author: Florian Roth (Nextron Systems)
date: 2022-02-10
modified: 2023-11-29
tags:
- attack.credential-access
- attack.t1003.001
- attack.s0002
logsource:
category: process_access
product: windows
detection:
selection:
TargetImage|endswith: '\lsass.exe'
SourceImage|contains: 'dump'
GrantedAccess|endswith:
- '10'
- '30'
- '50'
- '70'
- '90'
- 'B0'
- 'D0'
- 'F0'
- '18'
- '38'
- '58'
- '78'
- '98'
- 'B8'
- 'D8'
- 'F8'
- '1A'
- '3A'
- '5A'
- '7A'
- '9A'
- 'BA'
- 'DA'
- 'FA'
- '0x14C2' # https://github.com/b4rtik/ATPMiniDump/blob/76304f93b390af3bb66e4f451ca16562a479bdc9/ATPMiniDump/ATPMiniDump.c
- 'FF'
condition: selection
falsepositives:
- Rare programs that contain the word dump in their name and access lsass
level: high
title: Remote LSASS Process Access Through Windows Remote Management
id: aa35a627-33fb-4d04-a165-d33b4afca3e8
status: stable
description: Detects remote access to the LSASS process via WinRM. This could be a sign of credential dumping from tools like mimikatz.
references:
- https://pentestlab.blog/2018/05/15/lateral-movement-winrm/
author: Patryk Prauze - ING Tech
date: 2019-05-20
modified: 2023-11-29
tags:
- attack.credential-access
- attack.execution
- attack.t1003.001
- attack.t1059.001
- attack.lateral-movement
- attack.t1021.006
- attack.s0002
logsource:
category: process_access
product: windows
detection:
selection:
TargetImage|endswith: '\lsass.exe'
SourceImage|endswith: ':\Windows\system32\wsmprovhost.exe'
filter_main_access:
GrantedAccess: '0x80000000'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unlikely
level: high
title: HackTool - Generic Process Access
id: d0d2f720-d14f-448d-8242-51ff396a334e
status: test
description: Detects process access requests from hacktool processes based on their default image name
references:
- https://jsecurity101.medium.com/bypassing-access-mask-auditing-strategies-480fb641c158
- https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html
author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel
date: 2023-11-27
tags:
- attack.credential-access
- attack.t1003.001
- attack.s0002
logsource:
category: process_access
product: windows
detection:
selection:
- SourceImage|endswith:
- '\Akagi.exe'
- '\Akagi64.exe'
- '\atexec_windows.exe'
- '\Certify.exe'
- '\Certipy.exe'
- '\CoercedPotato.exe'
- '\crackmapexec.exe'
- '\CreateMiniDump.exe'
- '\dcomexec_windows.exe'
- '\dpapi_windows.exe'
- '\findDelegation_windows.exe'
- '\GetADUsers_windows.exe'
- '\GetNPUsers_windows.exe'
- '\getPac_windows.exe'
- '\getST_windows.exe'
- '\getTGT_windows.exe'
- '\GetUserSPNs_windows.exe'
- '\gmer.exe'
- '\hashcat.exe'
- '\htran.exe'
- '\ifmap_windows.exe'
- '\impersonate.exe'
- '\Inveigh.exe'
- '\LocalPotato.exe'
- '\mimikatz_windows.exe'
- '\mimikatz.exe'
- '\netview_windows.exe'
- '\nmapAnswerMachine_windows.exe'
- '\opdump_windows.exe'
- '\PasswordDump.exe'
- '\Potato.exe'
- '\PowerTool.exe'
- '\PowerTool64.exe'
- '\psexec_windows.exe'
- '\PurpleSharp.exe'
- '\pypykatz.exe'
- '\QuarksPwDump.exe'
- '\rdp_check_windows.exe'
- '\Rubeus.exe'
- '\SafetyKatz.exe'
- '\sambaPipe_windows.exe'
- '\SelectMyParent.exe'
- '\SharpChisel.exe'
- '\SharPersist.exe'
- '\SharpEvtMute.exe'
- '\SharpImpersonation.exe'
- '\SharpLDAPmonitor.exe'
- '\SharpLdapWhoami.exe'
- '\SharpUp.exe'
- '\SharpView.exe'
- '\smbclient_windows.exe'
- '\smbserver_windows.exe'
- '\sniff_windows.exe'
- '\sniffer_windows.exe'
- '\split_windows.exe'
- '\SpoolSample.exe'
- '\Stracciatella.exe'
- '\SysmonEOP.exe'
- '\temp\rot.exe'
- '\ticketer_windows.exe'
- '\TruffleSnout.exe'
- '\winPEASany_ofs.exe'
- '\winPEASany.exe'
- '\winPEASx64_ofs.exe'
- '\winPEASx64.exe'
- '\winPEASx86_ofs.exe'
- '\winPEASx86.exe'
- '\xordump.exe'
- SourceImage|contains:
- '\goldenPac'
- '\just_dce_'
- '\karmaSMB'
- '\kintercept'
- '\LocalPotato'
- '\ntlmrelayx'
- '\rpcdump'
- '\samrdump'
- '\secretsdump'
- '\smbexec'
- '\smbrelayx'
- '\wmiexec'
- '\wmipersist'
- 'HotPotato'
- 'Juicy Potato'
- 'JuicyPotato'
- 'PetitPotam'
- 'RottenPotato'
condition: selection
falsepositives:
- Unlikely
level: high
title: LSASS Access From Potentially White-Listed Processes
id: 4be8b654-0c01-4c9d-a10c-6b28467fc651
status: test
description: |
Detects a possible process memory dump that uses a white-listed filename like TrolleyExpress.exe as a way to dump the LSASS process memory without Microsoft Defender interference
references:
- https://twitter.com/_xpn_/status/1491557187168178176
- https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz
- https://twitter.com/mrd0x/status/1460597833917251595
author: Florian Roth (Nextron Systems)
date: 2022-02-10
modified: 2023-11-29
tags:
- attack.credential-access
- attack.t1003.001
- attack.s0002
logsource:
category: process_access
product: windows
detection:
selection:
TargetImage|endswith: '\lsass.exe'
SourceImage|endswith:
- '\TrolleyExpress.exe' # Citrix
- '\ProcessDump.exe' # Cisco Jabber
- '\dump64.exe' # Visual Studio
GrantedAccess|endswith:
- '10'
- '30'
- '50'
- '70'
- '90'
- 'B0'
- 'D0'
- 'F0'
- '18'
- '38'
- '58'
- '78'
- '98'
- 'B8'
- 'D8'
- 'F8'
- '1A'
- '3A'
- '5A'
- '7A'
- '9A'
- 'BA'
- 'DA'
- 'FA'
- '0x14C2' # https://github.com/b4rtik/ATPMiniDump/blob/76304f93b390af3bb66e4f451ca16562a479bdc9/ATPMiniDump/ATPMiniDump.c
- 'FF'
condition: selection
falsepositives:
- Unknown
level: high
title: Suspicious LSASS Access Via MalSecLogon
id: 472159c5-31b9-4f56-b794-b766faa8b0a7
status: test
description: Detects suspicious access to LSASS handle via a call trace to "seclogon.dll" with a suspicious access right.
references:
- https://twitter.com/SBousseaden/status/1541920424635912196
- https://github.com/elastic/detection-rules/blob/2bc1795f3d7bcc3946452eb4f07ae799a756d94e/rules/windows/credential_access_lsass_handle_via_malseclogon.toml
- https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html
author: Samir Bousseaden (original elastic rule), Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-29
tags:
- attack.credential-access
- attack.t1003.001
logsource:
category: process_access
product: windows
detection:
selection:
TargetImage|endswith: '\lsass.exe'
SourceImage|endswith: '\svchost.exe'
GrantedAccess: '0x14c0'
CallTrace|contains: 'seclogon.dll'
condition: selection
falsepositives:
- Unknown
level: high
title: Credential Dumping Activity By Python Based Tool
id: f8be3e82-46a3-4e4e-ada5-8e538ae8b9c9
related:
- id: 4b9a8556-99c4-470b-a40c-9c8d02c77ed0
type: obsolete
- id: 7186e989-4ed7-4f4e-a656-4674b9e3e48b
type: obsolete
status: stable
description: Detects LSASS process access for potential credential dumping by a Python-like tool such as LaZagne or Pypykatz.
references:
- https://twitter.com/bh4b3sh/status/1303674603819081728
- https://github.com/skelsec/pypykatz
author: Bhabesh Raj, Jonhnathan Ribeiro
date: 2023-11-27
modified: 2023-11-29
tags:
- attack.credential-access
- attack.t1003.001
- attack.s0349
logsource:
category: process_access
product: windows
detection:
selection:
TargetImage|endswith: '\lsass.exe'
CallTrace|contains|all:
- '_ctypes.pyd+'
- ':\Windows\System32\KERNELBASE.dll+'
- ':\Windows\SYSTEM32\ntdll.dll+'
CallTrace|contains:
- 'python27.dll+'
- 'python3*.dll+'
GrantedAccess: '0x1FFFFF'
condition: selection
falsepositives:
- Unknown
level: high
title: HackTool - HandleKatz Duplicating LSASS Handle
id: b1bd3a59-c1fd-4860-9f40-4dd161a7d1f5
status: test
description: Detects HandleKatz opening LSASS to duplicate its handle to later dump the memory without opening any new handles
references:
- https://github.com/codewhitesec/HandleKatz
author: Bhabesh Raj (rule), @thefLinkk
date: 2022-06-27
modified: 2023-11-28
tags:
- attack.execution
- attack.t1106
- attack.t1003.001
- attack.credential-access
logsource:
category: process_access
product: windows
detection:
selection:
TargetImage|endswith: '\lsass.exe' # Theoretically, can be any benign process holding handle to LSASS
GrantedAccess: '0x1440' # Only PROCESS_DUP_HANDLE, PROCESS_QUERY_LIMITED_INFORMATION, PROCESS_QUERY_INFORMATION
# Example: C:\Windows\SYSTEM32\ntdll.dll+9d234\|UNKNOWN(00000000001C119B)
CallTrace|startswith: 'C:\Windows\System32\ntdll.dll+'
CallTrace|contains: '|UNKNOWN('
CallTrace|endswith: ')'
condition: selection
falsepositives:
- Unknown
level: high
title: Credential Dumping Attempt Via WerFault
id: e5b33f7d-eb93-48b6-9851-09e1e610b6d7
status: test
description: Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.
references:
- https://github.com/helpsystems/nanodump/commit/578116faea3d278d53d70ea932e2bbfe42569507
author: Florian Roth (Nextron Systems)
date: 2012-06-27
modified: 2023-11-29
tags:
- attack.credential-access
- attack.t1003.001
- attack.s0002
logsource:
category: process_access
product: windows
detection:
selection:
SourceImage|endswith: '\WerFault.exe'
TargetImage|endswith: '\lsass.exe'
GrantedAccess: '0x1FFFFF'
condition: selection
falsepositives:
- Actual failures in lsass.exe that trigger a crash dump (unlikely)
- Unknown cases in which WerFault accesses lsass.exe
level: high
title: Suspicious Renamed Comsvcs DLL Loaded By Rundll32
id: 8cde342c-ba48-4b74-b615-172c330f2e93
status: test
description: Detects rundll32 loading a renamed comsvcs.dll to dump process memory
references:
- https://twitter.com/sbousseaden/status/1555200155351228419
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-14
modified: 2023-02-17
tags:
- attack.credential-access
- attack.t1003.001
logsource:
product: windows
category: image_load
detection:
selection:
Image|endswith: '\rundll32.exe'
Hashes|contains:
# Add more hashes for other windows versions
- IMPHASH=eed93054cb555f3de70eaa9787f32ebb # Windows 11 21H2 x64
- IMPHASH=5e0dbdec1fce52daae251a110b4f309d # Windows 10 1607
- IMPHASH=eadbccbb324829acb5f2bbe87e5549a8 # Windows 10 1809
- IMPHASH=407ca0f7b523319d758a40d7c0193699 # Windows 10 2004 x64
- IMPHASH=281d618f4e6271e527e6386ea6f748de # Windows 10 2004 x86
filter:
ImageLoaded|endswith: '\comsvcs.dll'
condition: selection and not filter
falsepositives:
- Unlikely
level: high
title: Time Travel Debugging Utility Usage - Image
id: e76c8240-d68f-4773-8880-5c6f63595aaf
status: test
description: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Tttracer/
- https://twitter.com/mattifestation/status/1196390321783025666
- https://twitter.com/oulusoyum/status/1191329746069655553
author: 'Ensar Şamil, @sblmsrsn, @oscd_initiative'
date: 2020-10-06
modified: 2022-12-02
tags:
- attack.credential-access
- attack.stealth
- attack.t1218
- attack.t1003.001
logsource:
product: windows
category: image_load
detection:
selection:
ImageLoaded|endswith:
- '\ttdrecord.dll'
- '\ttdwriter.dll'
- '\ttdloader.dll'
condition: selection
falsepositives:
- Legitimate usage by software developers/testers
level: high
title: Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded
id: bdc64095-d59a-42a2-8588-71fd9c9d9abc
related:
- id: 0e277796-5f23-4e49-a490-483131d4f6e1 # Suspicious Loading
type: similar
status: test
description: |
Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes.
Tools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll.
As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.
references:
- https://learn.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump
- https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html
- https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6
author: Perez Diego (@darkquassar), oscd.community, Ecco
date: 2019-10-27
modified: 2022-12-09
tags:
- attack.credential-access
- attack.t1003.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith:
- '\dbghelp.dll'
- '\dbgcore.dll'
Signed: 'false'
condition: selection
falsepositives:
- Unknown
level: high
title: Mimikatz Use
id: 06d71506-7beb-4f22-8888-e2e5e2ca7fd8
status: test
description: This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)
references:
- https://tools.thehacker.recipes/mimikatz/modules
author: Florian Roth (Nextron Systems), David ANDRE (additional keywords)
date: 2017-01-10
modified: 2022-01-05
tags:
- attack.s0002
- attack.lateral-movement
- attack.credential-access
- car.2013-07-001
- car.2019-04-004
- attack.t1003.002
- attack.t1003.004
- attack.t1003.001
- attack.t1003.006
logsource:
product: windows
detection:
keywords:
- 'dpapi::masterkey'
- 'eo.oe.kiwi'
- 'event::clear'
- 'event::drop'
- 'gentilkiwi.com'
- 'kerberos::golden'
- 'kerberos::ptc'
- 'kerberos::ptt'
- 'kerberos::tgt'
- 'Kiwi Legit Printer'
- 'lsadump::'
- 'mimidrv.sys'
- '\mimilib.dll'
- 'misc::printnightmare'
- 'misc::shadowcopies'
- 'misc::skeleton'
- 'privilege::backup'
- 'privilege::debug'
- 'privilege::driver'
- 'sekurlsa::'
filter:
EventID: 15 # Sysmon's FileStream Events (could cause false positives when Sigma rules get copied on/to a system)
condition: keywords and not filter
falsepositives:
- Naughty administrators
- AV Signature updates
- Files with Mimikatz in their filename
level: high
title: LSASS Process Crashed - Application
id: a18e0862-127b-43ca-be12-1a542c75c7c5
status: experimental
description: |
Detects Windows error reporting events where the process that crashed is LSASS (Local Security Authority Subsystem Service).
This could be the cause of a provoked crash by techniques such as Lsass-Shtinkering to dump credentials.
references:
- https://github.com/deepinstinct/Lsass-Shtinkering
- https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-07
modified: 2025-12-03
tags:
- attack.credential-access
- attack.t1003.001
logsource:
product: windows
service: application
detection:
selection:
Provider_Name: 'Application Error'
EventID: 1000
AppName: 'lsass.exe'
ExceptionCode: 'c0000001' # STATUS_UNSUCCESSFUL
condition: selection
falsepositives:
- Rare legitimate crashing of the lsass process
level: high
title: Password Dumper Activity on LSASS
id: aa1697b7-d611-4f9a-9cb2-5125b4ccfd5c
status: test
description: Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN
references:
- https://twitter.com/jackcr/status/807385668833968128
author: sigma
date: 2017-02-12
modified: 2022-10-09
tags:
- attack.credential-access
- attack.t1003.001
logsource:
product: windows
service: security
detection:
selection:
EventID: 4656
ProcessName|endswith: '\lsass.exe'
AccessMask: '0x705'
ObjectType: 'SAM_DOMAIN'
condition: selection
falsepositives:
- Unknown
level: high
title: Credential Dumping Tools Service Execution - Security
id: f0d1feba-4344-4ca9-8121-a6c97bd6df52
related:
- id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed
type: derived
status: test
description: Detects well-known credential dumping tools execution via service execution events
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
author: Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
date: 2017-03-05
modified: 2022-11-29
tags:
- attack.credential-access
- attack.execution
- attack.t1003.001
- attack.t1003.002
- attack.t1003.004
- attack.t1003.005
- attack.t1003.006
- attack.t1569.002
- attack.s0005
logsource:
product: windows
service: security
definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
selection:
EventID: 4697
ServiceFileName|contains:
- 'cachedump'
- 'dumpsvc'
- 'fgexec'
- 'gsecdump'
- 'mimidrv'
- 'pwdump'
- 'servpw'
condition: selection
falsepositives:
- Legitimate Administrator using credential dumping tool for password recovery
level: high
title: LSASS Access Detected via Attack Surface Reduction
id: a0a278fe-2c0e-4de2-ac3c-c68b08a9ba98
status: test
description: Detects Access to LSASS Process
references:
- https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction
author: Markus Neis
date: 2018-08-26
modified: 2022-08-13
tags:
- attack.credential-access
- attack.t1003.001
logsource:
product: windows
service: windefend
definition: 'Requirements:Enabled Block credential stealing from the Windows local security authority subsystem (lsass.exe) from Attack Surface Reduction (GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2)'
detection:
selection:
EventID: 1121
Path|endswith: '\lsass.exe'
filter_thor:
ProcessName|startswith: 'C:\Windows\Temp\asgard2-agent\'
ProcessName|endswith:
- '\thor64.exe'
- '\thor.exe'
filter_exact:
ProcessName:
- 'C:\Windows\System32\atiesrxx.exe'
- 'C:\Windows\System32\CompatTelRunner.exe'
- 'C:\Windows\System32\msiexec.exe'
- 'C:\Windows\System32\nvwmi64.exe'
- 'C:\Windows\System32\svchost.exe'
- 'C:\Windows\System32\Taskmgr.exe'
- 'C:\Windows\System32\wbem\WmiPrvSE.exe'
- 'C:\Windows\SysWOW64\msiexec.exe'
filter_begins:
ProcessName|startswith:
- 'C:\Windows\System32\DriverStore\'
- 'C:\WINDOWS\Installer\'
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
condition: selection and not 1 of filter_*
falsepositives:
- Google Chrome GoogleUpdate.exe
- Some Taskmgr.exe related activity
level: high
title: Credential Dumping Tools Service Execution - System
id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed
status: test
description: Detects well-known credential dumping tools execution via service execution events
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
author: Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
date: 2017-03-05
modified: 2022-11-29
tags:
- attack.credential-access
- attack.execution
- attack.t1003.001
- attack.t1003.002
- attack.t1003.004
- attack.t1003.005
- attack.t1003.006
- attack.t1569.002
- attack.s0005
logsource:
product: windows
service: system
detection:
selection:
Provider_Name: 'Service Control Manager'
EventID: 7045
ImagePath|contains:
- 'cachedump'
- 'dumpsvc'
- 'fgexec'
- 'gsecdump'
- 'mimidrv'
- 'pwdump'
- 'servpw'
condition: selection
falsepositives:
- Legitimate Administrator using credential dumping tool for password recovery
level: high
title: Lsass Full Dump Request Via DumpType Registry Settings
id: 33efc23c-6ea2-4503-8cfe-bdf82ce8f719
status: test
description: Detects the setting of the "DumpType" registry value to "2" which stands for a "Full Dump". Technique such as LSASS Shtinkering requires this value to be "2" in order to dump LSASS.
references:
- https://github.com/deepinstinct/Lsass-Shtinkering
- https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps
- https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf
author: '@pbssubhash'
date: 2022-12-08
modified: 2023-08-17
tags:
- attack.credential-access
- attack.t1003.001
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains:
- '\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\DumpType'
- '\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\lsass.exe\DumpType'
Details: 'DWORD (0x00000002)' # Full Dump
condition: selection
falsepositives:
- Legitimate application that needs to do a full dump of their process
level: high
title: OpenCanary - SMB File Open Request
id: 22777c9e-873a-4b49-855f-6072ab861a52
status: test
description: Detects instances where an SMB service on an OpenCanary node has had a file open request.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
- attack.lateral-movement
- attack.collection
- attack.t1021
- attack.t1005
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 5000
condition: selection
falsepositives:
- Unlikely
level: high
title: Script Interpreter Spawning Credential Scanner - Linux
id: f0025a69-e1b7-4dda-a53c-db21fa2d4071
related:
- id: 0f60b28c-64dd-4e2c-9a63-5334d3e3a6e6
type: similar
status: experimental
description: |
Detects a script interpreter process (like node.js or bun) spawning a known credential scanning tool (e.g., trufflehog, gitleaks).
This behavior is indicative of an attempt to find and steal secrets, as seen in the "Shai-Hulud: The Second Coming" campaign.
references:
- https://github.com/asyncapi/cli/blob/2efa4dff59bc3d3cecdf897ccf178f99b115d63d/bun_environment.js
- https://www.stepsecurity.io/blog/sha1-hulud-the-second-coming-zapier-ens-domains-and-other-prominent-npm-packages-compromised
- https://www.endorlabs.com/learn/shai-hulud-2-malware-campaign-targets-github-and-cloud-credentials-using-bun-runtime
- https://semgrep.dev/blog/2025/digging-for-secrets-sha1-hulud-the-second-coming-of-the-npm-worm/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-25
tags:
- attack.credential-access
- attack.t1552
- attack.execution
- attack.collection
- attack.t1005
- attack.t1059.004
logsource:
category: process_creation
product: linux
detection:
selection_parent:
ParentImage|endswith:
# Add more script interpreters as needed
- '/node'
- '/bun'
selection_child:
- Image|endswith:
- '/trufflehog'
- '/gitleaks'
- CommandLine|contains:
- 'trufflehog'
- 'gitleaks'
condition: all of selection_*
falsepositives:
- Legitimate pre-commit hooks or CI/CD pipeline jobs that use a script to run a credential scanner as part of a security check.
level: high
title: VeeamBackup Database Credentials Dump Via Sqlcmd.EXE
id: b57ba453-b384-4ab9-9f40-1038086b4e53
status: test
description: Detects dump of credentials in VeeamBackup dbo
references:
- https://thedfirreport.com/2021/12/13/diavol-ransomware/
- https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html
author: frack113
date: 2021-12-20
modified: 2023-02-13
tags:
- attack.collection
- attack.t1005
logsource:
category: process_creation
product: windows
detection:
selection_tools:
Image|endswith: '\sqlcmd.exe'
selection_query:
CommandLine|contains|all:
- 'SELECT'
- 'TOP'
- '[VeeamBackup].[dbo].[Credentials]'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Script Interpreter Spawning Credential Scanner - Windows
id: 0f60b28c-64dd-4e2c-9a63-5334d3e3a6e6
related:
- id: f0025a69-e1b7-4dda-a53c-db21fa2d4071
type: similar
status: experimental
description: |
Detects a script interpreter process (like node.js or bun) spawning a known credential scanning tool (e.g., trufflehog, gitleaks).
This behavior is indicative of an attempt to find and steal secrets, as seen in the "Shai-Hulud: The Second Coming" campaign.
references:
- https://github.com/asyncapi/cli/blob/2efa4dff59bc3d3cecdf897ccf178f99b115d63d/bun_environment.js
- https://www.stepsecurity.io/blog/sha1-hulud-the-second-coming-zapier-ens-domains-and-other-prominent-npm-packages-compromised
- https://www.endorlabs.com/learn/shai-hulud-2-malware-campaign-targets-github-and-cloud-credentials-using-bun-runtime
- https://semgrep.dev/blog/2025/digging-for-secrets-sha1-hulud-the-second-coming-of-the-npm-worm/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-25
tags:
- attack.credential-access
- attack.t1552
- attack.collection
- attack.execution
- attack.t1005
- attack.t1059.007
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith:
# Add more script interpreters as needed
- '\node.exe'
- '\bun.exe'
selection_child:
- Image|endswith:
- 'trufflehog.exe'
- 'gitleaks.exe'
- CommandLine|contains:
- 'trufflehog'
- 'gitleaks'
condition: all of selection_*
falsepositives:
- Legitimate pre-commit hooks or CI/CD pipeline jobs that use a script to run a credential scanner as part of a security check.
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_susp_script_interpretor_spawn_credential_scanner/info.yml
title: SQLite Chromium Profile Data DB Access
id: 24c77512-782b-448a-8950-eddb0785fc71
status: test
description: Detect usage of the "sqlite" binary to query databases in Chromium-based browsers for potential data stealing.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/84d9edaaaa2c5511144521b0e4af726d1c7276ce/atomics/T1539/T1539.md#atomic-test-2---steal-chrome-cookies-windows
- https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/
author: TropChaud
date: 2022-12-19
modified: 2023-01-19
tags:
- attack.credential-access
- attack.t1539
- attack.t1555.003
- attack.collection
- attack.t1005
logsource:
category: process_creation
product: windows
detection:
selection_sql:
- Product: SQLite
- Image|endswith:
- '\sqlite.exe'
- '\sqlite3.exe'
selection_chromium:
CommandLine|contains:
- '\User Data\' # Most common folder for user profile data among Chromium browsers
- '\Opera Software\' # Opera
- '\ChromiumViewer\' # Sleipnir (Fenrir)
selection_data:
CommandLine|contains:
- 'Login Data' # Passwords
- 'Cookies'
- 'Web Data' # Credit cards, autofill data
- 'History'
- 'Bookmarks'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: SQLite Firefox Profile Data DB Access
id: 4833155a-4053-4c9c-a997-777fcea0baa7
status: test
description: Detect usage of the "sqlite" binary to query databases in Firefox and other Gecko-based browsers for potential data stealing.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1539/T1539.md#atomic-test-1---steal-firefox-cookies-windows
- https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/
author: frack113
date: 2022-04-08
modified: 2023-01-19
tags:
- attack.credential-access
- attack.t1539
- attack.collection
- attack.t1005
logsource:
category: process_creation
product: windows
detection:
selection_sql:
- Product: SQLite
- Image|endswith:
- '\sqlite.exe'
- '\sqlite3.exe'
selection_firefox:
CommandLine|contains:
- 'cookies.sqlite'
- 'places.sqlite' # Bookmarks, history
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: OpenCanary - SNMP OID Request
id: e9856028-fd4e-46e6-b3d1-10f7ceb95078
status: test
description: Detects instances where an SNMP service on an OpenCanary node has had an OID request.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
- attack.discovery
- attack.lateral-movement
- attack.t1016
- attack.t1021
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 13001
condition: selection
falsepositives:
- Unlikely
level: high
title: PUA - AdFind Suspicious Execution
id: 9a132afa-654e-11eb-ae93-0242ac130002
related:
- id: 455b9d50-15a1-4b99-853f-8d37655a4c1b
type: similar
- id: 75df3b17-8bcc-4565-b89b-c9898acef911
type: obsolete
status: test
description: Detects AdFind execution with common flags seen used during attacks
references:
- https://www.joeware.net/freetools/tools/adfind/
- https://thedfirreport.com/2020/05/08/adfind-recon/
- https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/
- https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
- https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx
- https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md
- https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1087.002/T1087.002.md#atomic-test-7---adfind---enumerate-active-directory-user-objects
author: Janantha Marasinghe (https://github.com/blueteam0ps), FPT.EagleEye Team, omkar72, oscd.community
date: 2021-02-02
modified: 2025-10-24
tags:
- attack.discovery
- attack.t1018
- attack.t1087.002
- attack.t1482
- attack.t1069.002
- stp.1u
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- 'domainlist'
- 'trustdmp'
- 'dcmodes'
- 'adinfo'
- '-sc dclist'
- 'computer_pwdnotreqd'
- 'objectcategory='
- '-subnets -f'
- 'name="Domain Admins"'
- '-sc u:'
- 'domainncs'
- 'dompol'
- ' oudmp '
- 'subnetdmp'
- 'gpodmp'
- 'fspdmp'
- 'users_noexpire'
- 'computers_active'
- 'computers_pwdnotreqd'
condition: selection
falsepositives:
- Legitimate admin activity
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage/info.yml
simulation:
- type: atomic-red-team
name: Adfind - Enumerate Active Directory Computer Objects
technique: T1018
atomic_guid: a889f5be-2d54-4050-bd05-884578748bb4
- type: atomic-red-team
name: Adfind - Enumerate Active Directory Domain Controller Objects
technique: T1018
atomic_guid: 5838c31e-a0e2-4b9f-b60a-d79d2cb7995e