add ProcDump-based LSASS memory dump detection

[akshat4703]

Summary

Add a new nursery rule to detect LSASS memory dumping using ProcDump based on command execution patterns.

The rule identifies behavior where ProcDump is used to create a memory dump of the lsass process, which is a common technique used by attackers to extract Windows credentials.

---

What Changed

Added a new rule:

• dump-lsass-memory-via-procdump.yml

The rule matches when the following indicators appear together:

• Process creation behavior
  match: host-interaction/process/create

• ProcDump execution indicator
  procdump or procdump64 (with optional .exe)

• LSASS process target
  lsass or lsass.exe

• Dump-related arguments or output
  -ma, -mm, -mp, or .dmp

Optional command-line arguments supported:

• -accepteula

Requiring multiple signals helps reduce false positives while capturing realistic attacker usage patterns.

---

Why

ProcDump is frequently abused as a LOLBin to dump memory from the LSASS (Local Security Authority Subsystem Service) process. Attackers can then extract credentials from the dump using tools such as Mimikatz.

This rule helps identify that behavior by matching common ProcDump command-line patterns targeting LSASS.

Example attacker command:

procdump -ma lsass.exe lsass.dmp

---

ATT&CK Mapping

Credential Access → OS Credential Dumping → LSASS Memory

MITRE ATT&CK: T1003.001

---

References

• MITRE ATT&CK T1003.001
• Sysinternals ProcDump documentation
• LOLBAS ProcDump entry

---

Validation

The rule was validated with the following checks:

capafmt

lint --thorough -t "dump LSASS memory via ProcDump"

Both checks passed successfully.

[williballenthin]

do you have an associated sample that you used to test/develop this rule?

[akshat4703]

do you have an associated sample that you used to test/develop this rule?

Yes, Added meta.examples from the sample I used during development:

91a12a4cf437589ba70b1687f5acad19:0x43E1C9