Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
|
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Medium |
Description
Dumping Lsass.exe (Local Security Authority Subsystem Service) memory to file allows attackers to later extract credentials from the memory dump.
Attacker's Goals
Attackers may try to extract OS credentials from the dumped Lsass.exe file.
Investigative actions
Check the dumping process for more suspicious activity.