Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

1 alert match the current filters. tactic: TA0006 ✕ technique: T1564 ✕

Show ATT&CK heatmap
  • Procdump executed from an atypical directory Medium

    Procdump.exe is a SysInternals tool used to dump process memory; it can be used to dump lsass.exe memory to extract credentials.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Credential Access (TA0006)
    ATT&CK techniques: Hide Artifacts: Hidden Files and Directories (T1564.001) OS Credential Dumping: LSASS Memory (T1003.001)
    Required data: XDR Agent
    Attacker's goals: Attackers may attempt to dump the memory of sensitive processes.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.