From 8d25c8e421f173ae61292d7c6a2a889651476457 Mon Sep 17 00:00:00 2001
From: akshat4703 <akshat4703@gmail.com>
Date: Fri, 13 Mar 2026 11:09:09 +0530
Subject: [PATCH] dump-lsass-memory-via-openprocess-and-minidumpwritedump

---
 ...-via-openprocess-and-minidumpwritedump.yml | 30 +++++++++++++++++++
 1 file changed, 30 insertions(+)
 create mode 100644 nursery/dump-lsass-memory-via-openprocess-and-minidumpwritedump.yml

diff --git a/nursery/dump-lsass-memory-via-openprocess-and-minidumpwritedump.yml b/nursery/dump-lsass-memory-via-openprocess-and-minidumpwritedump.yml
new file mode 100644
index 000000000..43efa5b1b
--- /dev/null
+++ b/nursery/dump-lsass-memory-via-openprocess-and-minidumpwritedump.yml
@@ -0,0 +1,30 @@
+rule:
+  meta:
+    name: dump LSASS memory via OpenProcess and MiniDumpWriteDump
+    namespace: collection/credential-dumping
+    authors:
+      - akshatpal
+    scopes:
+      static: function
+      dynamic: span of calls
+    att&ck:
+      - Credential Access::OS Credential Dumping::LSASS Memory [T1003.001]
+    references:
+      - https://attack.mitre.org/techniques/T1003/001/
+      - https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-openprocess
+      - https://learn.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump
+  features:
+    - and:
+      - or:
+        - match: open process
+        - api: kernel32.OpenProcess
+        - api: NtOpenProcess
+        - api: ZwOpenProcess
+      - or:
+        - match: create process memory minidump
+        - api: dbghelp.MiniDumpWriteDump
+      - or:
+        - substring: "lsass.exe"
+        - substring: "\\lsass.exe"
+      - optional:
+        - match: acquire debug privileges