Creation of lsass Dump with Taskmgr

name: Creation of lsass Dump with Taskmgr
id: b2fbe95a-9c62-4c12-8a29-24b97e84c0cd
version: 14
creation_date: '2019-12-11'
modification_date: '2026-05-13'
author: Michael Haag, Splunk
status: production
type: TTP
description: The following analytic detects the creation of an lsass.exe process dump using Windows Task Manager. It leverages Sysmon EventID 11 to identify file creation events where the target filename matches *lsass*.dmp. This activity is significant because creating an lsass dump can be a precursor to credential theft, as the dump file contains sensitive information such as user passwords. If confirmed malicious, an attacker could use the lsass dump to extract credentials and escalate privileges, potentially compromising the entire network.
data_source:
    - Sysmon EventID 11
search: |-
    `sysmon` EventID=11 process_name=taskmgr.exe TargetFilename=*lsass*.dmp
      | stats count min(_time) as firstTime max(_time) as lastTime
        BY action dest file_name
           file_path process_guid process_id
           user_id vendor_product process_name
           TargetFilename
      | `security_content_ctime(firstTime)`
      | `security_content_ctime(lastTime)`
      | `creation_of_lsass_dump_with_taskmgr_filter`
how_to_implement: This search requires Sysmon Logs and a Sysmon configuration, which includes EventCode 11 for detecting file create of lsass.dmp. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.
known_false_positives: Administrators can create memory dumps for debugging purposes, but memory dumps of the LSASS process would be unusual.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md#atomic-test-5---dump-lsassexe-memory-using-windows-task-manager
    - https://attack.mitre.org/techniques/T1003/001/
    - https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf
drilldown_searches:
    - name: View the detection results for - "$dest$"
      search: '%original_detection_search% | search  dest = "$dest$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$dest$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: 7d
      latest_offset: "0"
finding:
    title: $process_name$ was identified on endpoint $dest$ writing $TargetFilename$ to disk. This behavior is related to dumping credentials via Task Manager.
    entity:
        field: dest
        type: system
        score: 50
analytic_story:
    - Credential Dumping
    - CISA AA22-257A
    - Cactus Ransomware
    - Seashell Blizzard
    - Scattered Lapsus$ Hunters
asset_type: Windows
mitre_attack_id:
    - T1003.001
product:
    - Splunk Enterprise
    - Splunk Enterprise Security
    - Splunk Cloud
category: endpoint
security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon.log
          source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
          sourcetype: XmlWinEventLog
      test_type: unit