Credential Dumping via Sysinternals ProcDump

The Sysinternals ProcDump utility may be used to dump the memory space of lsass.exe to disk for processing with a credential access tool such as Mimikatz. This is performed by launching procdump.exe as a privileged user with command line options indicating that lsass.exe should be dumped to a file with an arbitrary name.

ATT&CK Coverage

Analytic Code

The code for this analytic. CAR pseudocode is preferred, but any search syntax is fine. At least one type of code is required but more are encouraged (e.g. both pseudocode and a Splunk search).

Pseudocode

processes = search Process:Create
procdump_lsass = filter processes where (
    exe = "procdump*.exe"  and
    command_line = "*lsass*")

Splunk, Sysmon native

index=__your_sysmon_index__ EventCode=1 Image="*\\procdump*.exe" CommandLine="*lsass*"

EQL

process where subtype.create and
  process_name == "procdump*.exe" and command_line == "*lsass*"

Test Cases

1. Open a Windows Command Prompt or PowerShell instance.
2. Navigate to folder containing ProcDump.
3. Execute procdump.exe -ma lsass.exe lsass_dump

Data Model Mappings

Elements from the CAR data model that are required for this analytic. This is required.

Developer Certificate of Origin

DCO signed-off-by: Tony M Lambert tony.lambert@redcanary.com

@ForensicITGuy thanks for the contribution! We actually just added an analytic for this from another contribution: https://car.mitre.org/analytics/CAR-2019-07-002/

However, you've provided some useful additional information here, including some different implementations and test cases. If it's ok with you, I'll merge this into the existing analytic and add you as a contributor.

Hey absolutely, I'm good with it

@ForensicITGuy awesome - thanks! I've updated the analytic with your contributions in 48f30fd.