From 95ddff6b4735817a680e8f249af897f7f526371f Mon Sep 17 00:00:00 2001
From: akshat4703 <akshat4703@gmail.com>
Date: Fri, 13 Mar 2026 12:31:32 +0530
Subject: [PATCH 1/3] add ProcDump-based LSASS memory dump detection

---
 nursery/dump-lsass-memory-via-procdump.yml | 29 ++++++++++++++++++++++
 1 file changed, 29 insertions(+)
 create mode 100644 nursery/dump-lsass-memory-via-procdump.yml

diff --git a/nursery/dump-lsass-memory-via-procdump.yml b/nursery/dump-lsass-memory-via-procdump.yml
new file mode 100644
index 000000000..706ccbf56
--- /dev/null
+++ b/nursery/dump-lsass-memory-via-procdump.yml
@@ -0,0 +1,29 @@
+rule:
+  meta:
+    name: dump LSASS memory via ProcDump
+    namespace: collection/credential-dumping
+    authors:
+      - akshatpal
+    scopes:
+      static: function
+      dynamic: span of calls
+    att&ck:
+      - Credential Access::OS Credential Dumping::LSASS Memory [T1003.001]
+    references:
+      - https://attack.mitre.org/techniques/T1003/001/
+      - https://learn.microsoft.com/en-us/sysinternals/downloads/procdump
+      - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Procdump/
+  features:
+    - and:
+      - match: host-interaction/process/create
+      - or:
+        - string: /procdump(64)?(\.exe)?/i
+        - string: /sysinternals\\procdump(64)?(\.exe)?/i
+      - string: /lsass(\.exe)?/i
+      - or:
+        - string: / -ma(\s|$)/i
+        - string: / -mm(\s|$)/i
+        - string: / -mp(\s|$)/i
+        - string: /\.dmp(\s|$)/i
+      - optional:
+        - string: /-accepteula/i

From 51160842271679945accea33b7dfffc6fd76ea0c Mon Sep 17 00:00:00 2001
From: akshat4703 <akshat4703@gmail.com>
Date: Fri, 13 Mar 2026 13:35:32 +0530
Subject: [PATCH 2/3] reuested-changes

---
 ...-via-openprocess-and-minidumpwritedump.yml | 26 +++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100644 nursery/dump-lsass-memory-via-openprocess-and-minidumpwritedump.yml

diff --git a/nursery/dump-lsass-memory-via-openprocess-and-minidumpwritedump.yml b/nursery/dump-lsass-memory-via-openprocess-and-minidumpwritedump.yml
new file mode 100644
index 000000000..518a533e9
--- /dev/null
+++ b/nursery/dump-lsass-memory-via-openprocess-and-minidumpwritedump.yml
@@ -0,0 +1,26 @@
+rule:
+  meta:
+    name: dump LSASS memory via OpenProcess and MiniDumpWriteDump
+    namespace: collection/credential-dumping
+    authors:
+      - akshatpal
+    scopes:
+      static: function
+      dynamic: span of calls
+    att&ck:
+      - Credential Access::OS Credential Dumping::LSASS Memory [T1003.001]
+    references:
+      - https://attack.mitre.org/techniques/T1003/001/
+      - https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-openprocess
+      - https://learn.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump
+    examples:
+      - 91a12a4cf437589ba70b1687f5acad19:0x43E1C9
+  features:
+    - and:
+      - match: open process
+      - match: create process memory minidump
+      - or:
+        - substring: "lsass.exe"
+        - substring: "\\lsass.exe"
+      - optional:
+        - match: acquire debug privileges

From 0d89e1b5bde965508121a6221056957911b4354d Mon Sep 17 00:00:00 2001
From: akshat4703 <akshat4703@gmail.com>
Date: Fri, 13 Mar 2026 14:01:26 +0530
Subject: [PATCH 3/3] changes

---
 nursery/dump-lsass-memory-via-procdump.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/nursery/dump-lsass-memory-via-procdump.yml b/nursery/dump-lsass-memory-via-procdump.yml
index 706ccbf56..23723fef2 100644
--- a/nursery/dump-lsass-memory-via-procdump.yml
+++ b/nursery/dump-lsass-memory-via-procdump.yml
@@ -13,6 +13,8 @@ rule:
       - https://attack.mitre.org/techniques/T1003/001/
       - https://learn.microsoft.com/en-us/sysinternals/downloads/procdump
       - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Procdump/
+    examples:
+      - 91a12a4cf437589ba70b1687f5acad19:0x43E1C9
   features:
     - and:
       - match: host-interaction/process/create