Dump LSASS Via Procdump Rename
Detect a renamed instance of procdump.exe dumping the lsass process. This query looks for both -mm and -ma usage. -mm will produce a mini dump file and -ma will write a dump file with all process memory. Both are highly suspect and should be reviewed. Modify the query as needed.\ During triage, confirm this is procdump.exe executing. If it is the first time a Sysinternals utility has been ran, it is possible there will be a -accepteula on the command line. Review other endpoint data sources for cross process (injection) into lsass.exe.
Dump LSASS Via Procdump Rename Help
To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the
Open in Search