Detectionhightest
Credential Dumping Attempt Via WerFault
Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Florian Roth (Nextron Systems)Created Wed Jun 27Updated Wed Nov 29e5b33f7d-eb93-48b6-9851-09e1e610b6d7windows
Log Source
WindowsProcess Access
ProductWindows← raw: windows
CategoryProcess Access← raw: process_access
Events when a process opens a handle to another process, commonly used for credential dumping via LSASS.
Detection Logic
Detection Logic1 selector
detection:
selection:
SourceImage|endswith: '\WerFault.exe'
TargetImage|endswith: '\lsass.exe'
GrantedAccess: '0x1FFFFF'
condition: selectionFalse Positives
Actual failures in lsass.exe that trigger a crash dump (unlikely)
Unknown cases in which WerFault accesses lsass.exe
References
MITRE ATT&CK
Rule Metadata
Rule ID
e5b33f7d-eb93-48b6-9851-09e1e610b6d7
Status
test
Level
high
Type
Detection
Created
Wed Jun 27
Modified
Wed Nov 29
Path
rules/windows/process_access/proc_access_win_lsass_werfault.yml
Raw Tags
attack.credential-accessattack.t1003.001attack.s0002