Sigma rules for CVE-2021-44207
200 rules · scoped to cve · back to CVE-2021-44207
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Suspicious LDAP-Attributes Used
id: d00a9a72-2c09-4459-ad03-5e0a23351e36
status: test
description: Detects the usage of particular AttributeLDAPDisplayNames, which are known for data exchange via LDAP by the tool LDAPFragger and are additionally not commonly used in companies.
references:
- https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961
- https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/
- https://github.com/fox-it/LDAPFragger
author: xknow @xknow_infosec
date: 2019-03-24
modified: 2022-10-05
tags:
- attack.t1001.003
- attack.command-and-control
logsource:
product: windows
service: security
definition: The "Audit Directory Service Changes" logging policy must be configured in order to receive events. Audit events are generated only for objects with configured system access control lists (SACLs). Audit events are generated only for objects with configured system access control lists (SACLs) and only when accessed in a manner that matches their SACL settings. This policy covers the following events ids - 5136, 5137, 5138, 5139, 5141. Note that the default policy does not cover User objects. For that a custom AuditRule need to be setup (See https://github.com/OTRF/Set-AuditRule)
detection:
selection:
EventID: 5136
AttributeValue|contains: '*'
AttributeLDAPDisplayName:
- 'primaryInternationalISDNNumber'
- 'otherFacsimileTelephoneNumber'
- 'primaryTelexNumber'
condition: selection
falsepositives:
- Companies, who may use these default LDAP-Attributes for personal information
level: high
title: OpenCanary - MSSQL Login Attempt Via Windows Authentication
id: 6e78f90f-0043-4a01-ac41-f97681613a66
status: test
description: |
Detects instances where an MSSQL service on an OpenCanary node has had a login attempt using Windows Authentication.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
- attack.credential-access
- attack.collection
- attack.t1003
- attack.t1213
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 9002
condition: selection
falsepositives:
- Unlikely
level: high
title: OpenCanary - MySQL Login Attempt
id: e7d79a1b-25ed-4956-bd56-bd344fa8fd06
status: test
description: Detects instances where a MySQL service on an OpenCanary node has had a login attempt.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
- attack.credential-access
- attack.collection
- attack.t1003
- attack.t1213
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 8001
condition: selection
falsepositives:
- Unlikely
level: high
title: OpenCanary - MSSQL Login Attempt Via SQLAuth
id: 3ec9a16d-0b4f-4967-9542-ebf38ceac7dd
status: test
description: |
Detects instances where an MSSQL service on an OpenCanary node has had a login attempt using SQLAuth.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
- attack.credential-access
- attack.collection
- attack.t1003
- attack.t1213
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 9001
condition: selection
falsepositives:
- Unlikely
level: high
title: OpenCanary - REDIS Action Command Attempt
id: 547dfc53-ebf6-4afe-8d2e-793d9574975d
status: test
description: Detects instances where a REDIS service on an OpenCanary node has had an action command attempted.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
- attack.credential-access
- attack.collection
- attack.t1003
- attack.t1213
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 17001
condition: selection
falsepositives:
- Unlikely
level: high
title: Linux Keylogging with Pam.d
id: 49aae26c-450e-448b-911d-b3c13d178dfc
status: test
description: Detect attempt to enable auditing of TTY input
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/T1056.001.md
- https://linux.die.net/man/8/pam_tty_audit
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing
- https://access.redhat.com/articles/4409591#audit-record-types-2
author: 'Pawel Mazur'
date: 2021-05-24
modified: 2022-12-18
tags:
- attack.collection
- attack.credential-access
- attack.t1003
- attack.t1056.001
logsource:
product: linux
service: auditd
detection:
selection_path_events:
type: PATH
name:
- '/etc/pam.d/system-auth'
- '/etc/pam.d/password-auth'
selection_tty_events:
type:
- 'TTY'
- 'USER_TTY'
condition: 1 of selection_*
falsepositives:
- Administrative work
level: high
title: Potential Invoke-Mimikatz PowerShell Script
id: 189e3b02-82b2-4b90-9662-411eb64486d4
status: test
description: Detects Invoke-Mimikatz PowerShell script and alike. Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords.
references:
- https://www.elastic.co/guide/en/security/current/potential-invoke-mimikatz-powershell-script.html#potential-invoke-mimikatz-powershell-script
author: Tim Rauch, Elastic (idea)
date: 2022-09-28
tags:
- attack.credential-access
- attack.t1003
logsource:
category: ps_script
product: windows
detection:
selection_1:
ScriptBlockText|contains|all:
- 'DumpCreds'
- 'DumpCerts'
selection_2:
ScriptBlockText|contains: 'sekurlsa::logonpasswords'
selection_3:
ScriptBlockText|contains|all:
- 'crypto::certificates'
- 'CERT_SYSTEM_STORE_LOCAL_MACHINE'
condition: 1 of selection*
falsepositives:
- Mimikatz can be useful for testing the security of networks
level: high
title: Live Memory Dump Using Powershell
id: cd185561-4760-45d6-a63e-a51325112cae
status: test
description: Detects usage of a PowerShell command to dump the live memory of a Windows machine
references:
- https://learn.microsoft.com/en-us/powershell/module/storage/get-storagediagnosticinfo?view=windowsserver2022-ps
author: Max Altgelt (Nextron Systems)
date: 2021-09-21
modified: 2022-12-25
tags:
- attack.credential-access
- attack.t1003
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'Get-StorageDiagnosticInfo'
- '-IncludeLiveDump'
condition: selection
falsepositives:
- Diagnostics
level: high
title: HackTool - Rubeus Execution - ScriptBlock
id: 3245cd30-e015-40ff-a31d-5cadd5f377ec
related:
- id: 7ec2c172-dceb-4c10-92c9-87c1881b7e18
type: similar
status: test
description: Detects the execution of the hacktool Rubeus using specific command line flags
references:
- https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus
- https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html
- https://github.com/GhostPack/Rubeus
author: Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems)
date: 2023-04-27
tags:
- attack.credential-access
- attack.t1003
- attack.t1558.003
- attack.lateral-movement
- attack.t1550.003
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains:
- 'asreproast '
- 'dump /service:krbtgt '
- 'dump /luid:0x'
- 'kerberoast '
- 'createnetonly /program:'
- 'ptt /ticket:'
- '/impersonateuser:'
- 'renew /ticket:'
- 'asktgt /user:'
- 'harvest /interval:'
- 's4u /user:'
- 's4u /ticket:'
- 'hash /password:'
- 'golden /aes256:'
- 'silver /user:'
condition: selection
falsepositives:
- Unlikely
level: high
title: HackTool - Potential Remote Credential Dumping Activity Via CrackMapExec Or Impacket-Secretsdump
id: 6e2a900a-ced9-4e4a-a9c2-13e706f9518a
status: test
description: Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint.
references:
- https://github.com/Porchetta-Industries/CrackMapExec
- https://github.com/fortra/impacket/blob/ff8c200fd040b04d3b5ff05449646737f836235d/examples/secretsdump.py
author: SecurityAura
date: 2022-11-16
modified: 2024-06-27
tags:
- attack.credential-access
- attack.t1003
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith: '\svchost.exe'
# CommandLine|contains: 'RemoteRegistry' # Uncomment this line if you collect CommandLine data for files events from more accuracy
TargetFilename|re: '\\Windows\\System32\\[a-zA-Z0-9]{8}\.tmp$'
condition: selection
falsepositives:
- Unknown
level: high
title: Potential Credential Dumping Attempt Using New NetworkProvider - CLI
id: baef1ec6-2ca9-47a3-97cc-4cf2bda10b77
related:
- id: 0442defa-b4a2-41c9-ae2c-ea7042fc4701
type: similar
status: test
description: Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it
references:
- https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/network-provider-settings-removed-in-place-upgrade
- https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-23
modified: 2023-02-02
tags:
- attack.credential-access
- attack.t1003
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- '\System\CurrentControlSet\Services\'
- '\NetworkProvider'
# filter:
# CommandLine|contains:
# - '\System\CurrentControlSet\Services\WebClient\NetworkProvider'
# - '\System\CurrentControlSet\Services\LanmanWorkstation\NetworkProvider'
# - '\System\CurrentControlSet\Services\RDPNP\NetworkProvider'
# - '\System\CurrentControlSet\Services\P9NP\NetworkProvider' # Related to WSL remove the comment if you use WSL in your ENV
condition: selection
falsepositives:
- Other legitimate network providers used and not filtred in this rule
level: high
title: Microsoft IIS Service Account Password Dumped
id: 2d3cdeec-c0db-45b4-aa86-082f7eb75701
status: test
description: Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords
references:
- https://www.elastic.co/guide/en/security/current/microsoft-iis-service-account-password-dumped.html
- https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA
- https://www.netspi.com/blog/technical/network-penetration-testing/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2/
author: Tim Rauch, Janantha Marasinghe, Elastic (original idea)
date: 2022-11-08
modified: 2023-01-22
tags:
- attack.credential-access
- attack.t1003
logsource:
category: process_creation
product: windows
detection:
selection_base_name:
- Image|endswith: '\appcmd.exe'
- OriginalFileName: 'appcmd.exe'
selection_base_list:
CommandLine|contains: 'list '
selection_standalone:
CommandLine|contains:
- ' /config' # https://pbs.twimg.com/media/FgydDAJWIAEio34?format=png&name=900x900
- ' /xml'
# We cover the "-" version just in case :)
- ' -config'
- ' -xml'
selection_cmd_flags:
CommandLine|contains:
- ' /@t' # Covers both "/@text:*" and "/@t:*"
- ' /text'
- ' /show'
# We cover the "-" version just in case :)
- ' -@t'
- ' -text'
- ' -show'
selection_cmd_grep:
CommandLine|contains:
- ':\*'
- 'password'
condition: all of selection_base_* and (selection_standalone or all of selection_cmd_*)
falsepositives:
- Unknown
level: high
title: Microsoft IIS Connection Strings Decryption
id: 97dbf6e2-e436-44d8-abee-4261b24d3e41
status: test
description: Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.
references:
- https://www.elastic.co/guide/en/security/current/microsoft-iis-connection-strings-decryption.html
author: Tim Rauch, Elastic (idea)
date: 2022-09-28
modified: 2022-12-30
tags:
- attack.credential-access
- attack.t1003
logsource:
category: process_creation
product: windows
detection:
selection_name:
- Image|endswith: '\aspnet_regiis.exe'
- OriginalFileName: 'aspnet_regiis.exe'
selection_args:
CommandLine|contains|all:
- 'connectionStrings'
- ' -pdf'
condition: all of selection*
falsepositives:
- Unknown
level: high
title: Hacktool Execution - PE Metadata
id: 37c1333a-a0db-48be-b64b-7393b2386e3b
status: test
description: Detects the execution of different Windows based hacktools via PE metadata (company, product, etc.) even if the files have been renamed
references:
- https://github.com/cube0x0
- https://www.virustotal.com/gui/search/metadata%253ACube0x0/files
author: Florian Roth (Nextron Systems)
date: 2022-04-27
modified: 2024-01-15
tags:
- attack.credential-access
- attack.resource-development
- attack.t1588.002
- attack.t1003
logsource:
category: process_creation
product: windows
detection:
selection:
Company: 'Cube0x0' # Detects the use of tools created by a well-known hacktool producer named "Cube0x0", which includes his handle in all binaries as company information in the PE headers (SharpPrintNightmare, KrbRelay, SharpMapExec, etc.)
condition: selection
falsepositives:
- Unlikely
level: high
title: PUA - Memory Dump Mount Via MemProcFS
id: 8a1b2c3d-4e5f-6789-abcd-ef1234567890
status: experimental
description: |
Detects execution of MemProcFS a memory forensics tool with the '-device' parameter.
MemProcFS mounts physical memory as a virtual file system, allowing direct access to process memory and system structures.
Threat actors were seen abusing this utility to mount memory dumps and then extract sensitive information from processes like LSASS or extract registry hives to obtain credentials, LSA secrets, SAM data, and cached domain credentials.
MemProcFS usage that is not part of authorized forensic analysis should be treated as suspicious and warrants further investigation.
references:
- https://github.com/ufrisk/MemProcFS
- https://0xdf.gitlab.io/2024/10/05/htb-freelancer.html#
- https://www.huntress.com/blog/curling-for-data-a-dive-into-a-threat-actors-malicious-ttps
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-04-27
tags:
- attack.credential-access
- attack.t1003
- attack.t1003.001
- attack.t1003.004
- attack.t1003.002
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\MemProcFS.exe'
- OriginalFileName: 'MemProcFS.exe'
- Description: 'MemProcFS'
selection_cli:
CommandLine|contains: '-device'
condition: all of selection_*
falsepositives:
- Legitimate use during memory forensics; if not part of authorized analysis, warrants urgent investigation
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_pua_memprocfs/info.yml
title: Suspicious SYSTEM User Process Creation
id: 2617e7ed-adb7-40ba-b0f3-8f9945fe6c09
status: test
description: Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)
references:
- Internal Research
- https://tools.thehacker.recipes/mimikatz/modules
author: Florian Roth (Nextron Systems), David ANDRE (additional keywords)
date: 2021-12-20
modified: 2025-10-19
tags:
- attack.credential-access
- attack.privilege-escalation
- attack.stealth
- attack.t1134
- attack.t1003
- attack.t1027
logsource:
category: process_creation
product: windows
detection:
selection:
IntegrityLevel:
- 'System'
- 'S-1-16-16384'
User|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
selection_special:
- Image|endswith:
- '\calc.exe'
- '\cscript.exe'
- '\forfiles.exe'
- '\hh.exe'
- '\mshta.exe'
- '\ping.exe'
- '\wscript.exe'
- CommandLine|re: 'net\s+user\s+'
- CommandLine|contains:
# - 'sc stop ' # stops a system service # causes FPs
- ' -NoP ' # Often used in malicious PowerShell commands
- ' -W Hidden ' # Often used in malicious PowerShell commands
- ' -decode ' # Used with certutil
- ' /decode ' # Used with certutil
- ' /urlcache ' # Used with certutil
- ' -urlcache ' # Used with certutil
- ' -e* JAB' # PowerShell encoded commands
- ' -e* SUVYI' # PowerShell encoded commands
- ' -e* SQBFAFgA' # PowerShell encoded commands
- ' -e* aWV4I' # PowerShell encoded commands
- ' -e* IAB' # PowerShell encoded commands
- ' -e* PAA' # PowerShell encoded commands
- ' -e* aQBlAHgA' # PowerShell encoded commands
- 'vssadmin delete shadows' # Ransomware
- 'reg SAVE HKLM' # save registry SAM - syskey extraction
- ' -ma ' # ProcDump
- 'Microsoft\Windows\CurrentVersion\Run' # Run key in command line - often in combination with REG ADD
- '.downloadstring(' # PowerShell download command
- '.downloadfile(' # PowerShell download command
- ' /ticket:' # Rubeus
- 'dpapi::' # Mimikatz
- 'event::clear' # Mimikatz
- 'event::drop' # Mimikatz
- 'id::modify' # Mimikatz
- 'kerberos::' # Mimikatz
- 'lsadump::' # Mimikatz
- 'misc::' # Mimikatz
- 'privilege::' # Mimikatz
- 'rpc::' # Mimikatz
- 'sekurlsa::' # Mimikatz
- 'sid::' # Mimikatz
- 'token::' # Mimikatz
- 'vault::cred' # Mimikatz
- 'vault::list' # Mimikatz
- ' p::d ' # Mimikatz
- ';iex(' # PowerShell IEX
- 'MiniDump' # Process dumping method apart from procdump
filter_main_ping:
CommandLine|contains|all:
- 'ping'
- '127.0.0.1'
- ' -n '
filter_vs:
Image|endswith: '\PING.EXE'
ParentCommandLine|contains: '\DismFoDInstall.cmd'
filter_config_mgr:
ParentImage|contains: ':\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\'
filter_java:
ParentImage|contains:
- ':\Program Files (x86)\Java\'
- ':\Program Files\Java\'
ParentImage|endswith: '\bin\javaws.exe'
Image|contains:
- ':\Program Files (x86)\Java\'
- ':\Program Files\Java\'
Image|endswith: '\bin\jp2launcher.exe'
CommandLine|contains: ' -ma '
condition: all of selection* and not 1 of filter_*
falsepositives:
- Administrative activity
- Scripts and administrative tools used in the monitored environment
- Monitoring activity
level: high
title: Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location
id: 416bc4a2-7217-4519-8dc7-c3271817f1d5
related:
- id: 9f5c1d59-33be-4e60-bcab-85d2f566effd
type: similar
status: experimental
description: |
Detects loading of dbgcore.dll or dbghelp.dll from uncommon locations such as user directories.
These DLLs contain the MiniDumpWriteDump function, which can be abused for credential dumping purposes or in some cases for evading EDR/AV detection by suspending processes.
references:
- https://blog.axelarator.net/hunting-for-edr-freeze/
- https://www.zerosalarium.com/2025/09/EDR-Freeze-Puts-EDRs-Antivirus-Into-Coma.html
- https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-27
modified: 2026-01-09
tags:
- attack.credential-access
- attack.defense-impairment
- attack.t1003
- attack.t1685
logsource:
category: image_load
product: windows
detection:
selection_img:
Image|contains:
- ':\Perflogs\'
- ':\Temp\'
- ':\Users\Public\'
- '\$Recycle.Bin\'
- '\Contacts\'
# - '\Desktop\'
- '\Documents\'
# - '\Downloads\'
- '\Favorites\'
- '\Favourites\'
- '\inetpub\wwwroot\'
- '\Music\'
- '\Pictures\'
- '\Start Menu\Programs\Startup\'
- '\Users\Default\'
- '\Videos\'
# - '\AppData\Local\Temp\' some installers may load from here
selection_dll:
ImageLoaded|endswith:
- '\dbgcore.dll'
- '\dbghelp.dll'
condition: all of selection_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/image_load/image_load_win_susp_dbgcore_dbghelp_load/info.yml
title: Potentially Suspicious ODBC Driver Registered
id: e4d22291-f3d5-4b78-9a0c-a1fbaf32a6a4
status: test
description: Detects the registration of a new ODBC driver where the driver is located in a potentially suspicious location
references:
- https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-23
modified: 2023-08-17
tags:
- attack.credential-access
- attack.persistence
- attack.t1003
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\SOFTWARE\ODBC\ODBCINST.INI\'
TargetObject|endswith:
- '\Driver'
- '\Setup'
Details|contains:
- ':\PerfLogs\'
- ':\ProgramData\'
- ':\Temp\'
- ':\Users\Public\'
- ':\Windows\Registration\CRMLog'
- ':\Windows\System32\com\dmp\'
- ':\Windows\System32\FxsTmp\'
- ':\Windows\System32\Microsoft\Crypto\RSA\MachineKeys\'
- ':\Windows\System32\spool\drivers\color\'
- ':\Windows\System32\spool\PRINTERS\'
- ':\Windows\System32\spool\SERVERS\'
- ':\Windows\System32\Tasks_Migrated\'
- ':\Windows\System32\Tasks\Microsoft\Windows\SyncCenter\'
- ':\Windows\SysWOW64\com\dmp\'
- ':\Windows\SysWOW64\FxsTmp\'
- ':\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System\'
- ':\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter\'
- ':\Windows\Tasks\'
- ':\Windows\Temp\'
- ':\Windows\Tracing\'
- '\AppData\Local\Temp\'
- '\AppData\Roaming\'
condition: selection
falsepositives:
- Unlikely
level: high
title: PowerShell Get-Process LSASS in ScriptBlock
id: 84c174ab-d3ef-481f-9c86-a50d0b8e3edb
status: test
description: Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity
references:
- https://web.archive.org/web/20220205033028/https://twitter.com/PythonResponder/status/1385064506049630211
author: Florian Roth (Nextron Systems)
date: 2021-04-23
modified: 2022-12-25
tags:
- attack.credential-access
- attack.t1003.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains: 'Get-Process lsass'
condition: selection
falsepositives:
- Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable)
level: high
title: Cred Dump Tools Dropped Files
id: 8fbf3271-1ef6-4e94-8210-03c2317947f6
status: test
description: Files with well-known filenames (parts of credential dump software or files produced by them) creation
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
author: Teymur Kheirkhabarov, oscd.community
date: 2019-11-01
modified: 2025-10-25
tags:
- attack.credential-access
- attack.t1003.001
- attack.t1003.002
- attack.t1003.003
- attack.t1003.004
- attack.t1003.005
logsource:
category: file_event
product: windows
detection:
selection:
- TargetFilename|contains:
- '\fgdump-log'
- '\kirbi'
- '\pwdump'
- '\pwhashes'
- '\wce_ccache'
- '\wce_krbtkts'
- TargetFilename|endswith:
- '\cachedump.exe'
- '\cachedump64.exe'
- '\DumpExt.dll'
- '\DumpSvc.exe'
- '\Dumpy.exe'
- '\fgexec.exe'
- '\lsremora.dll'
- '\lsremora64.dll'
- '\NTDS.out'
- '\procdump.exe'
- '\procdump64.exe'
- '\procdump64a.exe'
- '\pstgdump.exe'
- '\pwdump.exe'
- '\SAM.out'
- '\SECURITY.out'
- '\servpw.exe'
- '\servpw64.exe'
- '\SYSTEM.out'
- '\test.pwd'
- '\wceaux.dll'
condition: selection
falsepositives:
- Legitimate Administrator using tool for password recovery
level: high
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files/info.yml
title: LSASS Process Memory Dump Creation Via Taskmgr.EXE
id: 69ca12af-119d-44ed-b50f-a47af0ebc364
status: test
description: Detects the creation of an "lsass.dmp" file by the taskmgr process. This indicates a manual dumping of the LSASS.exe process memory using Windows Task Manager.
author: Swachchhanda Shrawan Poudel
date: 2023-10-19
references:
- https://github.com/redcanaryco/atomic-red-team/blob/987e3ca988ae3cff4b9f6e388c139c05bf44bbb8/atomics/T1003.001/T1003.001.md#L1
tags:
- attack.credential-access
- attack.t1003.001
logsource:
category: file_event
product: windows
detection:
selection:
Image|endswith:
- ':\Windows\system32\taskmgr.exe'
- ':\Windows\SysWOW64\taskmgr.exe'
TargetFilename|contains|all:
- '\AppData\Local\Temp\'
- '\lsass'
- '.DMP'
condition: selection
falsepositives:
- Rare case of troubleshooting by an administrator or support that has to be investigated regardless
level: high
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_taskmgr_lsass_dump/info.yml
title: LSASS Process Dump Artefact In CrashDumps Folder
id: 6902955a-01b7-432c-b32a-6f5f81d8f625
status: test
description: Detects the presence of an LSASS dump file in the "CrashDumps" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Error Reporting to dump said process.
references:
- https://github.com/deepinstinct/Lsass-Shtinkering
- https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf
author: '@pbssubhash'
date: 2022-12-08
tags:
- attack.credential-access
- attack.t1003.001
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|startswith: 'C:\Windows\System32\config\systemprofile\AppData\Local\CrashDumps\'
TargetFilename|contains: 'lsass.exe.'
TargetFilename|endswith: '.dmp'
condition: selection
falsepositives:
- Rare legitimate dump of the process by the operating system due to a crash of lsass
level: high
title: HackTool - CrackMapExec File Indicators
id: 736ffa74-5f6f-44ca-94ef-1c0df4f51d2a
related:
- id: 9433ff9c-5d3f-4269-99f8-95fc826ea489
type: obsolete
status: test
description: Detects file creation events with filename patterns used by CrackMapExec.
references:
- https://github.com/byt3bl33d3r/CrackMapExec/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-03-11
modified: 2024-06-27
tags:
- attack.credential-access
- attack.t1003.001
logsource:
product: windows
category: file_event
detection:
selection_path:
TargetFilename|startswith: 'C:\Windows\Temp\' # The disk extension is hardcoded in the tool.
selection_names_str:
TargetFilename|endswith:
- '\temp.ps1' # https://github.com/byt3bl33d3r/CrackMapExec/blob/3c3e412193cb6d3237abe90c543e5d995bfa4447/cme/modules/keepass_trigger.py#L42C41-L42C68
- '\msol.ps1' # https://github.com/byt3bl33d3r/CrackMapExec/blob/3c3e412193cb6d3237abe90c543e5d995bfa4447/cme/modules/msol.py#L48C98-L48C106
selection_names_re:
- TargetFilename|re: '\\[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\.txt$' # https://github.com/byt3bl33d3r/CrackMapExec/blob/3c3e412193cb6d3237abe90c543e5d995bfa4447/cme/protocols/wmi/wmiexec.py#L86
- TargetFilename|re: '\\[a-zA-Z]{8}\.tmp$' # https://github.com/byt3bl33d3r/CrackMapExec/blob/3c3e412193cb6d3237abe90c543e5d995bfa4447/cme/protocols/smb/atexec.py#L145C19-L146
condition: selection_path and 1 of selection_names_*
falsepositives:
- Unknown
level: high
title: LSASS Process Memory Dump Files
id: a5a2d357-1ab8-4675-a967-ef9990a59391
related:
- id: db2110f3-479d-42a6-94fb-d35bc1e46492
type: obsolete
- id: 5e3d3601-0662-4af0-b1d2-36a05e90c40a
type: obsolete
status: test
description: Detects creation of files with names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials.
references:
- https://www.google.com/search?q=procdump+lsass
- https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf
- https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml
- https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/
- https://github.com/helpsystems/nanodump
- https://github.com/CCob/MirrorDump
- https://github.com/safedv/RustiveDump/blob/1a9b026b477587becfb62df9677cede619d42030/src/main.rs#L35
- https://github.com/ricardojoserf/NativeDump/blob/01d8cd17f31f51f5955a38e85cd3c83a17596175/NativeDump/Program.cs#L258
author: Florian Roth (Nextron Systems)
date: 2021-11-15
modified: 2024-10-08
tags:
- attack.credential-access
- attack.t1003.001
logsource:
product: windows
category: file_event
detection:
selection_1:
TargetFilename|endswith:
- '\Andrew.dmp'
- '\Coredump.dmp'
- '\lsass.dmp'
- '\lsass.rar'
- '\lsass.zip'
- '\NotLSASS.zip' # https://github.com/CCob/MirrorDump
- '\PPLBlade.dmp' # https://github.com/tastypepperoni/PPLBlade
- '\rustive.dmp' # https://github.com/safedv/RustiveDump/blob/main/src/main.rs#L35
selection_2:
TargetFilename|contains:
- '\lsass_2' # default format of procdump v9.0 is lsass_YYMMDD_HHmmss.dmp
- '\lsassdmp'
- '\lsassdump'
selection_3:
TargetFilename|contains|all:
- '\lsass'
- '.dmp'
selection_4:
TargetFilename|contains: 'SQLDmpr'
TargetFilename|endswith: '.mdmp'
selection_5:
TargetFilename|contains:
- '\nanodump'
- '\proc_' # NativeDump pattern https://github.com/ricardojoserf/NativeDump/blob/01d8cd17f31f51f5955a38e85cd3c83a17596175/NativeDump/Program.cs#L258
TargetFilename|endswith: '.dmp'
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
title: HackTool - SafetyKatz Dump Indicator
id: e074832a-eada-4fd7-94a1-10642b130e16
status: test
description: Detects default lsass dump filename generated by SafetyKatz.
references:
- https://github.com/GhostPack/SafetyKatz
- https://github.com/GhostPack/SafetyKatz/blob/715b311f76eb3a4c8d00a1bd29c6cd1899e450b7/SafetyKatz/Program.cs#L63
author: Markus Neis
date: 2018-07-24
modified: 2024-06-27
tags:
- attack.credential-access
- attack.t1003.001
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|endswith: '\Temp\debug.bin'
condition: selection
falsepositives:
- Rare legitimate files with similar filename structure
level: high
title: WerFault LSASS Process Memory Dump
id: c3e76af5-4ce0-4a14-9c9a-25ceb8fda182
status: test
description: Detects WerFault creating a dump file with a name that indicates that the dump file could be an LSASS process memory, which contains user credentials
references:
- https://github.com/helpsystems/nanodump
author: Florian Roth (Nextron Systems)
date: 2022-06-27
tags:
- attack.credential-access
- attack.t1003.001
logsource:
product: windows
category: file_event
detection:
selection:
Image: C:\WINDOWS\system32\WerFault.exe
TargetFilename|contains:
- '\lsass'
- 'lsass.exe'
condition: selection
falsepositives:
- Unknown
level: high
title: HackTool - Impacket File Indicators
id: 03f4ca17-de95-428d-a75a-4ee78b047256
related:
- id: 6e2a900a-ced9-4e4a-a9c2-13e706f9518a
type: similar
status: experimental
description: Detects file creation events with filename patterns used by Impacket.
references:
- https://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/
- https://github.com/fortra/impacket
author: "The DFIR Report, IrishDeath"
date: 2025-05-19
tags:
- attack.credential-access
- attack.t1003.001
logsource:
product: windows
category: file_event
detection:
selection_names_re:
TargetFilename|re: '\\sessionresume_[a-zA-Z]{8}$' # https://github.com/fortra/impacket/blob/ead516a1209742efc7ac550707a9304ba08681e9/impacket/examples/secretsdump.py#L1925C38-L1925C51
condition: selection_names_re
falsepositives:
- Unknown
level: high
title: Password Dumper Remote Thread in LSASS
id: f239b326-2f41-4d6b-9dfa-c846a60ef505
status: stable
description: |
Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage.
The process in field Process is the malicious program. A single execution can lead to hundreds of events.
references:
- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm
author: Thomas Patzke
date: 2017-02-19
modified: 2021-06-21
tags:
- attack.credential-access
- attack.s0005
- attack.t1003.001
logsource:
product: windows
category: create_remote_thread
detection:
selection:
TargetImage|endswith: '\lsass.exe'
StartModule: ''
condition: selection
falsepositives:
- Antivirus products
level: high
title: Potential Credential Dumping Attempt Via PowerShell Remote Thread
id: fb656378-f909-47c1-8747-278bf09f4f4f
related:
- id: 3f07b9d1-2082-4c56-9277-613a621983cc
type: obsolete
- id: 0f920ebe-7aea-4c54-b202-9aa0c609cfe5
type: similar
status: test
description: Detects remote thread creation by PowerShell processes into "lsass.exe"
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
author: oscd.community, Natalia Shornikova
date: 2020-10-06
modified: 2022-12-18
tags:
- attack.credential-access
- attack.t1003.001
logsource:
product: windows
category: create_remote_thread
detection:
selection:
SourceImage|endswith:
- '\powershell.exe'
- '\pwsh.exe'
TargetImage|endswith: '\lsass.exe'
condition: selection
falsepositives:
- Unknown
level: high
title: HackTool - CrackMapExec Process Patterns
id: f26307d8-14cd-47e3-a26b-4b4769f24af6
status: test
description: Detects suspicious process patterns found in logs when CrackMapExec is used
references:
- https://mpgn.gitbook.io/crackmapexec/smb-protocol/obtaining-credentials/dump-lsass
author: Florian Roth (Nextron Systems)
date: 2022-03-12
modified: 2023-02-13
tags:
- attack.credential-access
- attack.t1003.001
logsource:
product: windows
category: process_creation
detection:
selection_lsass_dump1:
CommandLine|contains|all:
- 'tasklist /fi '
- 'Imagename eq lsass.exe'
CommandLine|contains:
- 'cmd.exe /c '
- 'cmd.exe /r '
- 'cmd.exe /k '
- 'cmd /c '
- 'cmd /r '
- 'cmd /k '
User|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
selection_lsass_dump2:
CommandLine|contains|all:
- 'do rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump'
- '\Windows\Temp\'
- ' full'
- '%%B'
selection_procdump:
CommandLine|contains|all:
- 'tasklist /v /fo csv'
- 'findstr /i "lsass"'
condition: 1 of selection*
falsepositives:
- Unknown
level: high
title: Renamed CreateDump Utility Execution
id: 1a1ed54a-2ba4-4221-94d5-01dee560d71e
related:
- id: 515c8be5-e5df-4c5e-8f6d-a4a2f05e4b48
type: similar
status: test
description: Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory
references:
- https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/
- https://twitter.com/bopin2020/status/1366400799199272960
author: Florian Roth (Nextron Systems)
date: 2022-09-20
modified: 2023-02-14
tags:
- attack.stealth
- attack.t1036
- attack.t1003.001
- attack.credential-access
logsource:
category: process_creation
product: windows
detection:
selection_pe:
OriginalFileName: 'FX_VER_INTERNALNAME_STR'
selection_cli:
- CommandLine|contains|all:
- ' -u ' # Short version of '--full'
- ' -f ' # Short version of '--name'
- '.dmp'
- CommandLine|contains|all:
- ' --full ' # Short version of '--full'
- ' --name ' # Short version of '--name'
- '.dmp'
filter:
Image|endswith: '\createdump.exe'
condition: 1 of selection_* and not filter
falsepositives:
- Command lines that use the same flags
level: high
title: Potential Windows Defender AV Bypass Via Dump64.EXE Rename
id: 129966c9-de17-4334-a123-8b58172e664d
status: test
description: |
Detects when a user is potentially trying to bypass the Windows Defender AV by renaming a tool to dump64.exe and placing it in the Visual Studio folder.
Currently the rule is covering only usage of procdump but other utilities can be added in order to increase coverage.
references:
- https://twitter.com/mrd0x/status/1460597833917251595
author: Austin Songer @austinsonger, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2021-11-26
modified: 2024-06-21
tags:
- attack.credential-access
- attack.t1003.001
logsource:
product: windows
category: process_creation
detection:
selection_dump:
Image|startswith: ':\Program Files'
Image|contains: '\Microsoft Visual Studio\'
Image|endswith: '\dump64.exe'
selection_tools_procdump:
- OriginalFileName: 'procdump'
- CommandLine|contains:
- ' -ma ' # Full Dump
- ' -mp ' # Mini Plus
condition: selection_dump and 1 of selection_tools_*
falsepositives:
- Unknown
level: high
title: Time Travel Debugging Utility Usage
id: 0b4ae027-2a2d-4b93-8c7e-962caaba5b2a
related:
- id: e76c8240-d68f-4773-8880-5c6f63595aaf
type: derived
status: test
description: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Tttracer/
- https://twitter.com/mattifestation/status/1196390321783025666
- https://twitter.com/oulusoyum/status/1191329746069655553
author: 'Ensar Şamil, @sblmsrsn, @oscd_initiative'
date: 2020-10-06
modified: 2022-10-09
tags:
- attack.credential-access
- attack.stealth
- attack.t1218
- attack.t1003.001
logsource:
product: windows
category: process_creation
detection:
selection:
ParentImage|endswith: '\tttracer.exe'
condition: selection
falsepositives:
- Legitimate usage by software developers/testers
level: high
title: LSASS Dump Keyword In CommandLine
id: ffa6861c-4461-4f59-8a41-578c39f3f23e
related:
- id: a5a2d357-1ab8-4675-a967-ef9990a59391
type: derived
status: test
description: |
Detects the presence of the keywords "lsass" and ".dmp" in the commandline, which could indicate a potential attempt to dump or create a dump of the lsass process.
references:
- https://github.com/Hackndo/lsassy
- https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf
- https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml
- https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/
- https://github.com/helpsystems/nanodump
- https://github.com/CCob/MirrorDump
author: E.M. Anhaus, Tony Lambert, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2019-10-24
modified: 2023-08-29
tags:
- attack.credential-access
- attack.t1003.001
logsource:
category: process_creation
product: windows
detection:
selection:
- CommandLine|contains:
- 'lsass.dmp'
- 'lsass.zip'
- 'lsass.rar'
- 'Andrew.dmp'
- 'Coredump.dmp'
- 'NotLSASS.zip' # https://github.com/CCob/MirrorDump
- 'lsass_2' # default format of procdump v9.0 is lsass_YYMMDD_HHmmss.dmp
- 'lsassdump'
- 'lsassdmp'
- CommandLine|contains|all:
- 'lsass'
- '.dmp'
- CommandLine|contains|all:
- 'SQLDmpr'
- '.mdmp'
- CommandLine|contains|all:
- 'nanodump'
- '.dmp'
condition: selection
falsepositives:
- Unlikely
level: high
title: CreateDump Process Dump
id: 515c8be5-e5df-4c5e-8f6d-a4a2f05e4b48
related:
- id: 1a1ed54a-2ba4-4221-94d5-01dee560d71e
type: similar
status: test
description: Detects uses of the createdump.exe LOLOBIN utility to dump process memory
references:
- https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/
- https://twitter.com/bopin2020/status/1366400799199272960
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-01-04
modified: 2022-08-19
tags:
- attack.stealth
- attack.t1036
- attack.t1003.001
- attack.credential-access
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\createdump.exe'
- OriginalFileName: 'FX_VER_INTERNALNAME_STR'
selection_cli:
CommandLine|contains:
- ' -u ' # Short version of '--full'
- ' --full '
- ' -f ' # Short version of '--name'
- ' --name '
- '.dmp '
condition: all of selection_*
falsepositives:
- Command lines that use the same flags
level: high
title: Process Memory Dump Via Comsvcs.DLL
id: 646ea171-dded-4578-8a4d-65e9822892e3
related:
- id: 09e6d5c0-05b8-4ff8-9eeb-043046ec774c
type: obsolete
status: test
description: Detects a process memory dump via "comsvcs.dll" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.)
references:
- https://twitter.com/shantanukhande/status/1229348874298388484
- https://twitter.com/pythonresponder/status/1385064506049630211?s=21
- https://twitter.com/Hexacorn/status/1224848930795552769
- https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/
- https://twitter.com/SBousseaden/status/1167417096374050817
- https://twitter.com/Wietze/status/1542107456507203586
- https://github.com/Hackndo/lsassy/blob/14d8f8ae596ecf22b449bfe919829173b8a07635/lsassy/dumpmethod/comsvcs.py
- https://www.youtube.com/watch?v=52tAmVLg1KM&t=2070s
author: Florian Roth (Nextron Systems), Modexp, Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2020-02-18
modified: 2025-02-23
tags:
- attack.credential-access
- attack.stealth
- attack.t1036
- attack.t1003.001
- car.2013-05-009
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\rundll32.exe'
- OriginalFileName: 'RUNDLL32.EXE'
- CommandLine|contains: 'rundll32'
selection_cli_1:
CommandLine|contains|all:
- 'comsvcs'
- 'full'
CommandLine|contains:
- '#-'
- '#+'
- '#24'
- '24 '
- 'MiniDump' # Matches MiniDump and MinidumpW
- '#65560' # ordinal is 16 bit ordinal, so if you make the number large enough (don't fit in 16 bit space), then it normally wraps around. for e.g ordinal 24 can be also represented by 65560 (65536+24)
selection_generic:
CommandLine|contains|all:
- '24'
- 'comsvcs'
- 'full'
CommandLine|contains:
- ' #'
- ',#'
- ', #'
- '"#'
condition: (selection_img and 1 of selection_cli_*) or selection_generic
falsepositives:
- Unlikely
level: high
title: HackTool - XORDump Execution
id: 66e563f9-1cbd-4a22-a957-d8b7c0f44372
status: test
description: Detects suspicious use of XORDump process memory dumping utility
references:
- https://github.com/audibleblink/xordump
author: Florian Roth (Nextron Systems)
date: 2022-01-28
modified: 2023-02-08
tags:
- attack.stealth
- attack.t1036
- attack.t1003.001
- attack.credential-access
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\xordump.exe'
- CommandLine|contains:
- ' -process lsass.exe '
- ' -m comsvcs '
- ' -m dbghelp '
- ' -m dbgcore '
condition: selection
falsepositives:
- Another tool that uses the command line switches of XORdump
level: high
title: Suspicious DumpMinitool Execution
id: eb1c4225-1c23-4241-8dd4-051389fde4ce
status: test
description: Detects suspicious ways to use the "DumpMinitool.exe" binary
references:
- https://twitter.com/mrd0x/status/1511415432888131586
- https://twitter.com/mrd0x/status/1511489821247684615
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/DumpMinitool/
author: Florian Roth (Nextron Systems)
date: 2022-04-06
modified: 2023-04-12
tags:
- attack.credential-access
- attack.stealth
- attack.t1036
- attack.t1003.001
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith:
- '\DumpMinitool.exe'
- '\DumpMinitool.x86.exe'
- '\DumpMinitool.arm64.exe'
- OriginalFileName:
- 'DumpMinitool.exe'
- 'DumpMinitool.x86.exe'
- 'DumpMinitool.arm64.exe'
filter_folder:
Image|contains:
- '\Microsoft Visual Studio\'
- '\Extensions\' # https://github.com/microsoft/vstest/blob/b2e2126f1aa7e5753cafe9515563c99ade6a59ce/src/package/nuspec/Microsoft.TestPlatform.Portable.nuspec#L159
susp_flags:
CommandLine|contains: '.txt'
cmd_has_flags:
CommandLine|contains:
- ' Full'
- ' Mini'
- ' WithHeap'
filter_cmd_misses_flags:
CommandLine|contains: '--dumpType'
condition: selection and ( ( not filter_folder ) or susp_flags or ( cmd_has_flags and not filter_cmd_misses_flags ) )
falsepositives:
- Unknown
level: high
title: Potential SysInternals ProcDump Evasion
id: 79b06761-465f-4f88-9ef2-150e24d3d737
status: test
description: Detects uses of the SysInternals ProcDump utility in which ProcDump or its output get renamed, or a dump file is moved or copied to a different name
references:
- https://twitter.com/mrd0x/status/1480785527901204481
author: Florian Roth (Nextron Systems)
date: 2022-01-11
modified: 2023-05-09
tags:
- attack.stealth
- attack.t1036
- attack.t1003.001
- attack.credential-access
logsource:
category: process_creation
product: windows
detection:
selection_1:
CommandLine|contains:
- 'copy procdump'
- 'move procdump'
selection_2:
CommandLine|contains|all:
- 'copy '
- '.dmp '
CommandLine|contains:
- '2.dmp'
- 'lsass'
- 'out.dmp'
selection_3:
CommandLine|contains:
- 'copy lsass.exe_' # procdump default pattern e.g. lsass.exe_220111_085234.dmp
- 'move lsass.exe_' # procdump default pattern e.g. lsass.exe_220111_085234.dmp
condition: 1 of selection_*
falsepositives:
- False positives are expected in cases in which ProcDump just gets copied to a different directory without any renaming
level: high
title: Potential Credential Dumping Via WER
id: 9a4ccd1a-3526-4d99-b980-9f9c5d3a6ff3
status: test
description: Detects potential credential dumping via Windows Error Reporting LSASS Shtinkering technique which uses the Windows Error Reporting to dump lsass
references:
- https://github.com/deepinstinct/Lsass-Shtinkering
- https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf
author: '@pbssubhash , Nasreddine Bencherchali'
date: 2022-12-08
modified: 2022-12-09
tags:
- attack.credential-access
- attack.t1003.001
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\Werfault.exe'
- OriginalFileName: 'WerFault.exe'
selection_cli:
ParentUser|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
User|contains:
- 'AUTHORI'
- 'AUTORI'
CommandLine|contains|all:
# Doc: WerFault.exe -u -p <target process> -ip <source process> -s <file mapping handle>
# Example: C:\Windows\system32\Werfault.exe -u -p 744 -ip 1112 -s 244
# If the source process is not equal to the target process and the target process is LSASS then this is an indication of this technique
# Example: If the "-p" points the PID of "lsass.exe" and "-ip" points to a different process than "lsass.exe" then this is a sign of malicious activity
- ' -u -p '
- ' -ip '
- ' -s '
filter_lsass:
ParentImage: 'C:\Windows\System32\lsass.exe'
condition: all of selection_* and not 1 of filter_*
falsepositives:
- Windows Error Reporting might produce similar behavior. In that case, check the PID associated with the "-p" parameter in the CommandLine.
level: high
title: HackTool - Doppelanger LSASS Dumper Execution
id: d474c8fe-bb69-4ea0-b7d9-f682b56d52d3
status: experimental
description: Detects the execution of the Doppelanger hacktool which is used to dump LSASS memory via process cloning while evading common detection methods
references:
- https://labs.yarix.com/2025/06/doppelganger-an-advanced-lsass-dumper-with-process-cloning/
- https://github.com/vari-sh/RedTeamGrimoire/tree/668e0357072546065729ad623f8c02f7be21bb08/Doppelganger
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-07-01
tags:
- attack.credential-access
- attack.t1003.001
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\Doppelganger.exe'
- Hashes|contains:
- 'IMPHASH=AB94D5217896ADCD765A06B2D52F0AEB'
- 'IMPHASH=65F0EA61156EE0C2A35421926F0C7F78'
condition: selection
falsepositives:
- Unknown
level: high
title: HackTool - Mimikatz Execution
id: a642964e-bead-4bed-8910-1bb4d63e3b4d
status: test
description: Detection well-known mimikatz command line arguments
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
- https://tools.thehacker.recipes/mimikatz/modules
author: Teymur Kheirkhabarov, oscd.community, David ANDRE (additional keywords), Tim Shelton
date: 2019-10-22
modified: 2023-02-21
tags:
- attack.credential-access
- attack.t1003.001
- attack.t1003.002
- attack.t1003.004
- attack.t1003.005
- attack.t1003.006
logsource:
category: process_creation
product: windows
detection:
selection_tools_name:
CommandLine|contains:
- 'DumpCreds'
- 'mimikatz'
selection_function_names: # To cover functions from modules that are not in module_names
CommandLine|contains:
- '::aadcookie' # misc module
- '::detours' # misc module
- '::memssp' # misc module
- '::mflt' # misc module
- '::ncroutemon' # misc module
- '::ngcsign' # misc module
- '::printnightmare' # misc module
- '::skeleton' # misc module
- '::preshutdown' # service module
- '::mstsc' # ts module
- '::multirdp' # ts module
selection_module_names:
CommandLine|contains:
- 'rpc::'
- 'token::'
- 'crypto::'
- 'dpapi::'
- 'sekurlsa::'
- 'kerberos::'
- 'lsadump::'
- 'privilege::'
- 'process::'
- 'vault::'
condition: 1 of selection_*
falsepositives:
- Unlikely
level: high
title: Potential Adplus.EXE Abuse
id: 2f869d59-7f6a-4931-992c-cce556ff2d53
status: test
description: Detects execution of "AdPlus.exe", a binary that is part of the Windows SDK that can be used as a LOLBIN in order to dump process memory and execute arbitrary commands.
references:
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/
- https://twitter.com/nas_bench/status/1534916659676422152
- https://twitter.com/nas_bench/status/1534915321856917506
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-09
modified: 2023-06-23
tags:
- attack.execution
- attack.credential-access
- attack.t1003.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\adplus.exe'
- OriginalFileName: 'Adplus.exe'
selection_cli:
CommandLine|contains:
# Dump process memory
- ' -hang '
- ' -pn '
- ' -pmn '
- ' -p '
- ' -po '
# Using a config file
- ' -c '
# Execute commands inline
- ' -sc '
condition: all of selection_*
falsepositives:
- Legitimate usage of Adplus for debugging purposes
level: high
title: HackTool - WSASS Execution
id: 589ac73f-8e12-409c-964e-31a2f5775ae2
status: experimental
description: |
Detects execution of WSASS, a tool used to dump LSASS memory on Windows systems by leveraging WER's
(Windows Error Reporting) WerFaultSecure.EXE to bypass PPL (Protected Process Light) protections.
references:
- https://github.com/TwoSevenOneT/WSASS
- https://www.zerosalarium.com/2025/09/Dumping-LSASS-With-WER-On-Modern-Windows-11.html
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-23
modified: 2026-01-09
tags:
- attack.credential-access
- attack.t1003.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith: '\wsass.exe'
selection_hash:
Hashes|contains: 'IMPHASH=32F5095C9BBDCACF28FD4060EB4DFC42'
selection_cli:
# change to |re|i after Sigma v2.0 release
# plain string without quotation marks as it has to match for both ' and "
CommandLine|re: (?i)\.exe[\"\']?\s+[^\"]{0,64}werfaultsecure\.exe[\"\']?\s+\d{2,10} # wsass.exe "path to werfaultsecure" lsass_pid
condition: 1 of selection_*
falsepositives:
- Unlikely
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_hktl_wsass/info.yml
title: Potential LSASS Process Dump Via Procdump
id: 5afee48e-67dd-4e03-a783-f74259dcf998
status: stable
description: |
Detects potential credential harvesting attempts through LSASS memory dumps using ProcDump.
This rule identifies suspicious command-line patterns that combine memory dump flags (-ma, -mm, -mp) with LSASS-related process markers.
LSASS (Local Security Authority Subsystem Service) contains sensitive authentication data including plaintext passwords, NTLM hashes, and Kerberos tickets in memory.
Attackers commonly dump LSASS memory to extract credentials for lateral movement and privilege escalation.
references:
- https://learn.microsoft.com/en-us/sysinternals/downloads/procdump
- https://research.splunk.com/endpoint/3742ebfe-64c2-11eb-ae93-0242ac130002
- https://x.com/wietze/status/1958302556033065292?s=12
author: Florian Roth (Nextron Systems)
date: 2018-10-30
modified: 2025-10-19
tags:
- attack.stealth
- attack.t1036
- attack.credential-access
- attack.t1003.001
- car.2013-05-009
logsource:
category: process_creation
product: windows
detection:
selection_flags:
CommandLine|contains|windash:
- ' -ma '
- ' -mm ' # Mini dump
- ' -mp ' # Miniplus dump
selection_process:
CommandLine|contains:
- ' ls' # Short for lsass
- ' keyiso'
- ' samss'
condition: all of selection_*
falsepositives:
- Unlikely, because no one should dump an lsass process memory
- Another tool that uses command line flags similar to ProcDump
level: high
title: Process Memory Dump via RdrLeakDiag.EXE
id: edadb1e5-5919-4e4c-8462-a9e643b02c4b
related:
- id: 6355a919-2e97-4285-a673-74645566340d
type: obsolete
status: test
description: Detects the use of the Microsoft Windows Resource Leak Diagnostic tool "rdrleakdiag.exe" to dump process memory
references:
- https://www.pureid.io/dumping-abusing-windows-credentials-part-1/
- https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/
- https://lolbas-project.github.io/lolbas/Binaries/Rdrleakdiag/
- https://twitter.com/0gtweet/status/1299071304805560321?s=21
- https://news.sophos.com/en-us/2024/06/05/operation-crimson-palace-a-technical-deep-dive
author: Cedric MAURUGEON, Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)
date: 2021-09-24
modified: 2024-08-15
tags:
- attack.credential-access
- attack.t1003.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\rdrleakdiag.exe'
- OriginalFileName: RdrLeakDiag.exe
selection_cli_dump:
CommandLine|contains|windash:
- '/memdmp'
- 'fullmemdmp'
selection_cli_output_process:
CommandLine|contains|windash:
- ' /o ' # Output
- ' /p ' # Process
condition: all of selection_*
falsepositives:
- Unlikely
level: high
title: HackTool - HandleKatz LSASS Dumper Execution
id: ca621ba5-54ab-4035-9942-d378e6fcde3c
status: test
description: Detects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same
references:
- https://github.com/codewhitesec/HandleKatz
author: Florian Roth (Nextron Systems)
date: 2022-08-18
modified: 2024-11-23
tags:
- attack.credential-access
- attack.t1003.001
logsource:
category: process_creation
product: windows
detection:
selection_loader_img:
Image|endswith: '\loader.exe'
CommandLine|contains: '--pid:'
selection_loader_imphash:
Hashes|contains:
- 'IMPHASH=38D9E015591BBFD4929E0D0F47FA0055'
- 'IMPHASH=0E2216679CA6E1094D63322E3412D650'
selection_flags:
CommandLine|contains|all:
- '--pid:'
- '--outfile:'
CommandLine|contains:
- '.dmp'
- 'lsass'
- '.obf'
- 'dump'
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
title: PPL Tampering Via WerFaultSecure
id: 1f0b4cac-9c81-41f4-95d0-8475ff46b3e2
related:
- id: 387df17d-3b04-448f-8669-9e7fd5e5fd8c
type: similar
- id: 8a2f4b1c-3d5e-4f7a-9b2c-1e4f6d8a9c2b
type: similar
status: experimental
description: |
Detects potential abuse of WerFaultSecure.exe to dump Protected Process Light (PPL) processes like LSASS or to freeze security solutions (EDR/antivirus).
This technique is used by tools such as EDR-Freeze and WSASS to bypass PPL protections and access sensitive information or disable security software.
Distinct command line patterns help identify the specific tool:
- WSASS usage typically shows: "WSASS.exe WerFaultSecure.exe [PID]" in ParentCommandLine
- EDR-Freeze usage typically shows: "EDR-Freeze_[version].exe [PID] [timeout]" in ParentCommandLine
Legitimate debugging operations using WerFaultSecure are rare in production environments and should be investigated.
references:
- https://www.zerosalarium.com/2025/09/EDR-Freeze-Puts-EDRs-Antivirus-Into-Coma.html
- https://github.com/TwoSevenOneT/EDR-Freeze/blob/a7f61030b36fbde89871f393488f7075d2aa89f6/EDR-Freeze.cpp#L53
- https://www.zerosalarium.com/2025/09/Dumping-LSASS-With-WER-On-Modern-Windows-11.html
- https://github.com/TwoSevenOneT/WSASS/blob/2c8fd9fa32143e7bc9f066e9511c6f8a57bc64b5/WSASS.cpp#L251
author: Jason (https://github.com/0xbcf)
date: 2025-09-23
modified: 2025-11-23
tags:
- attack.defense-impairment
- attack.t1685
- attack.credential-access
- attack.t1003.001
logsource:
category: process_creation
product: windows
detection:
selection_image:
- Image|endswith: '\WerFaultSecure.exe'
- OriginalFileName: 'WerFaultSecure.exe'
selection_args:
CommandLine|contains|all:
- ' /h '
- ' /pid ' # Antimalware or EDR process pid will be after this flag
- ' /tid '
- ' /encfile '
- ' /cancel '
- ' /type '
- ' 268310'
condition: all of selection_*
falsepositives:
- Legitimate usage of WerFaultSecure for debugging purposes
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_werfaultsecure_abuse/info.yml
title: Process Access via TrolleyExpress Exclusion
id: 4c0aaedc-154c-4427-ada0-d80ef9c9deb6
status: test
description: Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory
references:
- https://twitter.com/_xpn_/status/1491557187168178176
- https://www.youtube.com/watch?v=Ie831jF0bb0
author: Florian Roth (Nextron Systems)
date: 2022-02-10
modified: 2022-05-13
tags:
- attack.stealth
- attack.t1218.011
- attack.credential-access
- attack.t1003.001
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
# We assume that the lsass.exe process has a process ID that's between 700 and 999 and the dumper uses just the PID as parameter
- '\TrolleyExpress 7'
- '\TrolleyExpress 8'
- '\TrolleyExpress 9'
- '\TrolleyExpress.exe 7'
- '\TrolleyExpress.exe 8'
- '\TrolleyExpress.exe 9'
# Common dumpers
- '\TrolleyExpress.exe -ma '
renamed:
Image|endswith: '\TrolleyExpress.exe'
filter_renamed:
OriginalFileName|contains: 'CtxInstall'
filter_empty:
OriginalFileName: null
condition: selection or ( renamed and not 1 of filter* )
falsepositives:
- Unknown
level: high
title: HackTool - CreateMiniDump Execution
id: 36d88494-1d43-4dc0-b3fa-35c8fea0ca9d
status: test
description: Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine
references:
- https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass
author: Florian Roth (Nextron Systems)
date: 2019-12-22
modified: 2024-11-23
tags:
- attack.credential-access
- attack.t1003.001
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\CreateMiniDump.exe'
- Hashes|contains: 'IMPHASH=4a07f944a83e8a7c2525efa35dd30e2f'
condition: selection
falsepositives:
- Unknown
level: high