Credential Dumping via Windows Task Manager

The Windows Task Manager may be used to dump the memory space of lsass.exe to disk for processing with a credential access tool such as Mimikatz. This is performed by launching Task Manager as a privileged user, selecting lsass.exe, and clicking "Create dump file". This saves a dump file to disk with the process's name in the file name.

This requires filesystem data to determine whether files have been created.

ATT&CK Coverage

Analytic Code

The code for this analytic. CAR pseudocode is preferred, but any search syntax is fine. At least one type of code is required but more are encouraged (e.g. both pseudocode and a Splunk search).

Pseudocode

files = search File:Create
lsass_dump = filter files where (
    file_name = "lsass*.dmp"  and
    image_path = "C:\Windows\*\taskmgr.exe")

Splunk, Sysmon native

index=__your_sysmon_index__ EventCode=11 TargetFilename="*lsass*.dmp" Image="C:\\Windows\\*\\taskmgr.exe"

EQL

file where file_name == "lsass*.dmp" and process_name == "taskmgr.exe"

Test Cases

1. Open Windows Task Manager as Administrator
2. Select lsass.exe
3. Right-click on lsass.exe and select "Create dump file".

Data Model Mappings

Elements from the CAR data model that are required for this analytic. This is required.

Developer Certificate of Origin

DCO signed-off-by: Tony M Lambert tony.lambert@redcanary.com

@ForensicITGuy thanks for the contribution - it's especially great that you included multiple implementations :)

A few questions:

• What would classify the "type" of this analytic (see https://car.mitre.org/Glossary)? I would assume that it's TTP?
• Is the file name created by the task manager dump deterministic (i.e., will it always have lsass in the name)?

Hey @ikiril01 That would be correct, it would be a TTP.

For the second question, there's no place to specify the file name with Task Manager, it should always be deterministic such as lsass.dmp, lsass (1).dmp and so on.

Added this in a PR - #32. Thanks again for the submission!