Analytics Alerts
Browse the Cortex analytics alert reference.
1 alert match the current filters. tactic: TA0006 ✕ technique: T1564 ✕
Show ATT&CK heatmapProcdump executed from an atypical directory Medium
Procdump.exe is a SysInternals tool used to dump process memory; it can be used to dump lsass.exe memory to extract credentials.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Credential Access (TA0006)ATT&CK techniques: Hide Artifacts: Hidden Files and Directories (T1564.001) OS Credential Dumping: LSASS Memory (T1003.001)Required data: XDR AgentAttacker's goals: Attackers may attempt to dump the memory of sensitive processes.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.