Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

LSASS Process Memory Dump Creation Via Taskmgr.EXE

Detects the creation of an "lsass.dmp" file by the taskmgr process. This indicates a manual dumping of the LSASS.exe process memory using Windows Task Manager.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Swachchhanda Shrawan PoudelCreated Thu Oct 1969ca12af-119d-44ed-b50f-a47af0ebc364windows
Log Source
WindowsFile Event
ProductWindows← raw: windows
CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic
Detection Logic1 selector
detection:
    selection:
        Image|endswith:
            - ':\Windows\system32\taskmgr.exe'
            - ':\Windows\SysWOW64\taskmgr.exe'
        TargetFilename|contains|all:
            - '\AppData\Local\Temp\'
            - '\lsass'
            - '.DMP'
    condition: selection
False Positives

Rare case of troubleshooting by an administrator or support that has to be investigated regardless

References
1
Resolving title…
github.com
Testing & Validation

Regression Tests

by SigmaHQ Team
Positive Detection Test1 matchevtx

Microsoft-Windows-Sysmon

EVTX JSON
MITRE ATT&CK
Rule Metadata
Rule ID
69ca12af-119d-44ed-b50f-a47af0ebc364
Status
test
Level
high
Type
Detection
Created
Thu Oct 19
Author
Swachchhanda Shrawan Poudel
Path
rules/windows/file/file_event/file_event_win_taskmgr_lsass_dump.yml
Raw Tags
attack.credential-accessattack.t1003.001
View on GitHub