Windows credential dumping via WER application error

This rule is part of a beta feature. To learn more, contact Support.
windows

Classification:

attack

Tactic:

TA0006-credential-access

Technique:

T1003-os-credential-dumping

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detects Windows Error Reporting events triggered by Local Security Authority Subsystem Service (LSASS) crashes indicative of active credential dumping attempts.

Strategy

This rule monitors Application Error events with event ID 1000 where @Event.EventData.Data.Application is lsass.exe and @Event.EventData.Data.ExceptionCode is c0000001.

LSASS stores authentication credentials and security tokens in memory. Credential dumping tools often interact with LSASS memory in ways that cause access violations, resulting in process crashes with specific exception codes.

Triage & Response

  • Examine the Application event logs on {{host}} for details about the LSASS crash.
  • Review process execution history for credential dumping tools like Mimikatz.
  • Check for unauthorized authentication attempts using potentially extracted credentials.
  • Identify any lateral movement attempts from {{host}}.
  • Capture memory dumps if available for forensic analysis.
  • Force password resets for all accounts accessed on the affected system.