cscli scenarios install sigmahq/proc_creation_win_susp_lsass_dmp_cli_keywords1type: trigger2name: sigmahq/proc_creation_win_susp_lsass_dmp_cli_keywords3description: |4 Detects the presence of the keywords "lsass" and ".dmp" in the commandline, which could indicate a potential attempt to dump or create a dump of the lsass process.5filter: |6 (evt.Meta.service == 'sysmon' && evt.Parsed.EventID == '1') && (evt.Parsed.CommandLine contains 'lsass.dmp' || evt.Parsed.CommandLine contains 'lsass.zip' || evt.Parsed.CommandLine contains 'lsass.rar' || evt.Parsed.CommandLine contains 'Andrew.dmp' || evt.Parsed.CommandLine contains 'Coredump.dmp' || evt.Parsed.CommandLine contains 'NotLSASS.zip' || evt.Parsed.CommandLine contains 'lsass_2' || evt.Parsed.CommandLine contains 'lsassdump' || evt.Parsed.CommandLine contains 'lsassdmp' || evt.Parsed.CommandLine contains 'lsass' && evt.Parsed.CommandLine contains '.dmp' || evt.Parsed.CommandLine contains 'SQLDmpr' && evt.Parsed.CommandLine contains '.mdmp' || evt.Parsed.CommandLine contains 'nanodump' && evt.Parsed.CommandLine contains '.dmp')7blackhole: 2m8#status: test9labels:10 service: windows11 confidence: 112 spoofable: 013 classification:14 - attack.t1003.0011516 label: "LSASS Dump Keyword In CommandLine"17 behavior : "windows:audit"18 remediation: false1920scope:21 type: ParentProcessId22 expression: evt.Parsed.ParentProcessId2324