Mirrors/keyboardcrunch-sentinelone-queries
1
0
Fork 0
mirror of https://github.com/keyboardcrunch/sentinelone-queries synced 2026-06-08 17:07:13 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
2a0c1adc13d7a95710a47876350940d28817bb70
keyboardcrunch-sentinelone-…/queries/windows/lsass_memory_dumping.yml
T
keyboardcrunch 4d6ac236bc Cleaned up signature descriptions and metadata.
2020-12-05 21:45:38 -06:00

19 lines
771 B
YAML
Raw Blame History

title: LSASS Memory Dumping
description: Detection of wce (by hash), procdump, comsvc, dumpert, mimikatz, pypykatz, and werfault for LSASS dumping all in one query.
author: keyboardcrunch
date: 10/10/2020
modified: null
mitre:
tactic: Credential Access
technique: T1003
subtechnique: 001
operating_system: windows
query: TgtProcImageSha1 = "f0c52cea19c204f5cdbe952cc7cfc182e20d8d43" OR TgtProcCmdline
ContainsCIS "-ma lsass.exe" OR TgtProcCmdline ContainsCIS "comsvcs.dll, MiniDump"
OR TgtFilePath = "C:\Windows\Temp\dumpert.dmp" OR TgtFilePath RegExp "^.*lsass.*.DMP"
OR (SrcProcCmdline ContainsCIS "sekurlsa::minidump" OR SrcProcCmdline ContainsCIS
"sekurlsa::logonpasswords") OR SrcProcCmdline ContainsCIS "live lsa"
false_positives: null
tags: null
Reference in New Issue View Git Blame Copy Permalink