Classification:

attack

Tactic:

TA0006-credential-access

Technique:

T1003-os-credential-dumping

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detects attempts to dump the LSASS process memory using the Sysinternals ProcDump utility.

Strategy

This rule monitors Windows event logs for command line execution patterns associated with using ProcDump to extract credentials from the Local Security Authority Subsystem Service (LSASS) process. It detects attempts to create memory dumps by looking for command lines containing the -ma parameter in combination with the lsass.exe process. This enables Datadog to also catch cases in which the attacker has renamed the procdump executable. The LSASS process stores sensitive credentials in memory that attackers commonly target for lateral movement and privilege escalation, even when other credential dumping tools are blocked.

Triage & Response

• Examine the full command line on {{host}} to confirm it was targeting the LSASS process and understand any additional parameters used.
• Investigate if the dump file was accessed, copied, or exfiltrated after creation.
• Review authentication logs before the incident to identify how the attacker gained access to execute ProcDump.
• Ensure PowerShell and command line logging is enabled across the environment for better visibility.