Credential Dump Creation via PowerShell MiniDump
Last updated on:
In this page
Rule name | Rule type | Log sources | MITRE ATT&CK tags | Severity |
|---|---|---|---|---|
Credential Dump Creation via PowerShell MiniDump | Standard | Windows | Credential Access: OS Credential Dumping - LSASS Memory (T1003.001) | Trouble |
About the rule
Rule Type
Standard
Rule Description
Identifies LSASS or sensitive process memory dumping via PowerShell.
Why this rule?
PowerShell-based LSASS memory dumping using MiniDumpWriteDump API calls is a critical credential theft technique that extracts plaintext passwords, NTLM hashes, Kerberos tickets, and authentication tokens directly from the Local Security Authority Subsystem Service (LSASS) process memory, providing attackers with immediate access to all credentials currently cached on the system including domain administrator passwords, service account credentials, and recently authenticated user passwords that can be used for lateral movement, privilege escalation, and domain compromise.
Severity
Trouble
Rule journey
Attack chain scenario
Credential Access → PowerShell Execution → LSASS Memory Dump → Credential Extraction → Lateral Movement.
Impact
Memory dumps of LSASS process enable attackers to extract plaintext credentials, password hashes, and authentication tokens for lateral movement.
Rule Requirement
Prerequisites
Enable PowerShell Script Block Logging (Event ID 4104).
Criteria
Action1: actionname = "PowerShell Script Block Logged" AND (SCRIPTEXECUTED contains "pmuDetirWpmuDiniM" OR SCRIPTEXECUTED contains "MiniDumpWriteDump" OR SCRIPTEXECUTED contains "MiniDumpWithFullMemory") select Action1.HOSTNAME,Action1.MESSAGE,Action1.SCRIPTEXECUTED,Action1.DOMAIN,Action1.PATH,Action1.USERNAME
Detection
Execution Mode
realtime
Log Sources
Active Directory
MITRE ATT&CK
Credential Access: OS Credential Dumping - LSASS Memory (T1003.001)
Future actions
Known False Positives
Approved debugging, crash analysis, or endpoint forensic tools creating memory dumps during investigations.
Next Steps
- Identification: Identify the PowerShell script and user creating the memory dump.
- Analysis: Determine which process was dumped and assess credential exposure risk.
- Response: Rotate credentials for affected accounts, investigate credential theft, implement LSASS protection.
Mitigation
ID | Mitigation | Description |
|---|---|---|
On Windows 10, enable Attack Surface Reduction (ASR) rules to secure LSASS and prevent credential stealing. [113] | ||
With Windows 10, Microsoft implemented new protections called Credential Guard to protect the LSA secrets that can be used to obtain credentials through forms of credential dumping. It is not configured by default and has hardware and firmware system requirements. It also does not protect against all forms of credential dumping.[114][115] | ||
Consider disabling or restricting NTLM.[116] Consider disabling WDigest authentication.[117] | ||
Ensure that local administrator accounts have complex, unique passwords across all systems on the network. | ||
Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. | ||
On Windows 8.1 and Windows Server 2012 R2, enable Protected Process Light for LSA.[118] | ||
Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts. |
