feat(rules): Add LSASS memory dump via MiniDumpWriteDump rule

rabbitstack · rabbitstack · commit 328f7be7a755 · 2025-04-04T20:14:27.000+02:00
Identifies access to the Local Security Authority Subsystem Service (LSASS) process to dump the memory via MiniDumpWriteDump API.
diff --git a/rules/credential_access_lsass_memory_dump_via_minidumpwritedump.yml b/rules/credential_access_lsass_memory_dump_via_minidumpwritedump.yml
@@ -0,0 +1,33 @@
+name: LSASS memory dump via MiniDumpWriteDump
+id: fd7ced77-4a95-4658-80f6-6b9d7b5e3777
+version: 1.0.0
+description: |
+  Identifies access to the Local Security Authority Subsystem Service (LSASS) process to dump the
+  memory via MiniDumpWriteDump API.
+labels:
+  tactic.id: TA0006
+  tactic.name: Credential Access
+  tactic.ref: https://attack.mitre.org/tactics/TA0006/
+  technique.id: T1003
+  technique.name: OS Credential Dumping
+  technique.ref: https://attack.mitre.org/techniques/T1003/
+  subtechnique.id: T1003.001
+  subtechnique.name: LSASS Memory
+  subtechnique.ref: https://attack.mitre.org/techniques/T1003/001/
+references:
+  - https://redcanary.com/threat-detection-report/techniques/lsass-memory/
+  - https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/
+  - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass
+
+condition: >
+  ((open_process) or (open_thread)) and kevt.arg[exe] imatches '?:\\Windows\\System32\\lsass.exe'
+    and
+  (thread.callstack.modules imatches ('*dbgcore.dll', '*comsvcs.dll') or thread.callstack.symbols imatches ('*MiniDumpWriteDump'))
+action:
+  - name: kill
+
+output: >
+  LSASS memory dump attempt by process %ps.exe via MiniDumpWriteDump
+severity: high
+
+min-engine-version: 2.4.0
