Memory Heist Preparation Detected

Last updated on:

About the rule

Rule Type

Advanced

Rule Description

Detects credential dumping attempts preceded by suspicious registry modifications to weaken LSASS. A follow-up alert confirms blocked techniques like Mimikatz. This two-stage pattern indicates targeted post-exploitation activity.

Severity

Trouble

Rule Requirement

Criteria

Action1: actionname = "Registry entry Created or Modified" AND (((OBJECTNAME contains "Windows\Windows Error Reporting\LocalDumps\lsass.exe" AND (OBJECTVALUENAME = "DumpType" OR OBJECTNAME endswith "DumpType")) AND (DETAILS = "dword (0x00000002)" OR CHANGES = "2")) OR ((OBJECTNAME contains "Control\SecurityProviders\Wdigest" AND (OBJECTVALUENAME = "UseLogonCredential" OR OBJECTNAME endswith "UseLogonCredential")) AND DETAILS = "dword (0x00000001)") OR (OBJECTNAME contains "Control\CrashControl" AND (OBJECTVALUENAME = "CrashDumpEnabled" OR OBJECTNAME endswith "CrashDumpEnabled") AND (DETAILS = "dword (0x00000001),dword (0x00000002)" OR CHANGES = "1,2"))) Action2: actionname = "Detection Events" AND (NAME = "credential theft") AND ENDPOINT_NAME = Action1.HOSTNAME AND USERNAME = Action1.USERNAME sequence:Action1 followedby Action2 within 10m select Action1.HOSTNAME,Action1.EVENTID,Action1.ACCESSES,Action1.OBJECTVALUENAME,Action1.OBJECTNAME,Action1.USERNAME,Action1.CHANGES,Action1.DETAILS,Action1.PROCESSNAME,Action2.NAME,Action2.SEVERITYLEVEL,Action2.FILE_NAME,Action2.FILEPATH,Action2.ENDPOINT_NAME,Action2.DOMAIN,Action2.USERNAME,Action2.PATTERN,Action2.OUTCOME,Action2.MITRETACTIC,Action2.MITRETECHNIQUE,Action2.CATEGORY,Action2.COMMANDLINE

Detection

Execution Mode

realtime

Log Sources

CrowdStrike Falcon