LSASS Memory Dumping using WerFault.exe - Command Identification

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Content Index

---

Identifies WerFault.exe creating a memory dump of lsass.exe (Local Security Authority Subsystem Service, a process responsible for the enforcement of security policies on Windows systems, which generates and stores credentials in its process memory).

Attribute	Value
Type	Hunting Query
Solution	Cyborg Security HUNTER
ID	4894a60b-d2ee-4f24-be61-0d0c96a84e63
Tactics	CredentialAccess
Techniques	T1003
Required Connectors	SecurityEvent
Source	View on GitHub

Tables Used

This content item queries data from the following tables:

Table	Transformations	Ingestion API	Lake-Only
SecurityEvent	✓	✓	?

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Hunting Queries · Back to Cyborg Security HUNTER