dump-lsass-memory-via-openprocess-and-minidumpwritedump#1138
Open
akshat4703 wants to merge 1 commit intomandiant:masterfrom
Open
dump-lsass-memory-via-openprocess-and-minidumpwritedump#1138akshat4703 wants to merge 1 commit intomandiant:masterfrom
akshat4703 wants to merge 1 commit intomandiant:masterfrom
Conversation
Collaborator
williballenthin
left a comment
williballenthin
left a comment
There was a problem hiding this comment.
do you have an associated sample that you used during development?
| - and: | ||
| - or: | ||
| - match: open process | ||
| - api: kernel32.OpenProcess |
Collaborator
There was a problem hiding this comment.
why both the APIs and the match?
Contributor
Author
There was a problem hiding this comment.
wrong thinking from my side, match: open process already covers OpenProcess, NtOpenProcess, and ZwOpenProcess, so I’ll remove the explicit API entries and keep the match-based form.
Contributor
Author
Yes, I used 91a12a4cf437589ba70b1687f5acad19.exe_ during development (the same sample used by the existing create process memory minidump rule). I’ll add it under meta.examples for this rule. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add a rule to detect attempts to access LSASS and create a memory dump.
Many credential-stealing tools and malware families dump the Local Security Authority Subsystem Service (LSASS) process to extract credentials. This capability can often be identified by combining LSASS process discovery with APIs used to open the process and write a memory dump.
Motivation
Dumping LSASS memory is a common credential-access technique used by tools such as Mimikatz and many commodity malware families. Detecting this behavior would improve capa’s ability to identify credential-theft capabilities in analyzed binaries.
Proposed Detection Logic
The rule should look for a combination of signals related to LSASS discovery, process access, and dumping behavior.
1. LSASS Process Discovery
string: lsass.exe2. Process Access
OpenProcessNtOpenProcessPROCESS_VM_READPROCESS_QUERY_INFORMATION3. Dump Creation
MiniDumpWriteDumpDbgHelpfunctions associated with process dumping4. Additional Variant
Some implementations open LSASS via duplicated handles instead of directly calling
OpenProcess.The rule could also account for flows involving:
DuplicateHandleFalse Positive Reduction
To avoid overly broad matches, the rule should require at least two independent signals, such as:
MiniDumpWriteDumpThis multi-signal requirement should help reduce false positives in legitimate debugging tools.
Example Capability
Credential dumping via LSASS process memory access.
Potential Rule Scope
Function scope or file scope depending on feature availability and matching reliability.
Notes
This rule focuses on identifying the behavior of accessing and dumping LSASS, rather than detecting specific tools.