Detectionhightest

WerFault LSASS Process Memory Dump

Detects WerFault creating a dump file with a name that indicates that the dump file could be an LSASS process memory, which contains user credentials

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Florian Roth (Nextron Systems)Created Mon Jun 27c3e76af5-4ce0-4a14-9c9a-25ceb8fda182windows

Log Source

WindowsFile Event

ProductWindows← raw: windows

CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic

detection:
    selection:
        Image: C:\WINDOWS\system32\WerFault.exe
        TargetFilename|contains:
            - '\lsass'
            - 'lsass.exe'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

github.com

MITRE ATT&CK

Tactics

TA0006 · Credential Access

Sub-techniques

T1003.001 · LSASS Memory

Rule Metadata

Rule ID

c3e76af5-4ce0-4a14-9c9a-25ceb8fda182

Status

test

Level

high

Type

Detection

Created

Mon Jun 27

Author

Florian Roth (Nextron Systems)

Path

rules/windows/file/file_event/file_event_win_lsass_werfault_dump.yml

Raw Tags

attack.credential-accessattack.t1003.001

View on GitHub