Windows potential lsass process dump via procdump
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Goal
Detects attempts to dump the LSASS process memory using the Sysinternals ProcDump utility.
Strategy
This rule monitors Windows event logs for command line execution patterns associated with using ProcDump to extract credentials from the Local Security Authority Subsystem Service (LSASS) process. It detects attempts to create memory dumps by looking for command lines containing the -ma parameter in combination with the lsass.exe process. This enables Datadog to also catch cases in which the attacker has renamed the procdump executable. The LSASS process stores sensitive credentials in memory that attackers commonly target for lateral movement and privilege escalation, even when other credential dumping tools are blocked.
Triage & Response
- Examine the full command line on
{{host}} to confirm it was targeting the LSASS process and understand any additional parameters used. - Investigate if the dump file was accessed, copied, or exfiltrated after creation.
- Review authentication logs before the incident to identify how the attacker gained access to execute ProcDump.
- Ensure PowerShell and command line logging is enabled across the environment for better visibility.
