← Back to SOC feed Coverage →

doppelpaymer-procdump

kql MEDIUM Azure-Sentinel
DeviceProcessEvents
backdoorcredential-thefthuntingmicrosoftofficialransomware
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at Azure-Sentinel →
Retrieved: 2026-05-07T23:00:00Z · Confidence: medium

Hunt Hypothesis

The doppelpaymer-procdump rule detects potential ransomware activity where an adversary is using procdump to extract memory dumps from running processes, which could indicate post-exploitation behavior to exfiltrate data or prepare for encryption. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early signs of DoppelPaymer ransomware execution and mitigate data loss before encryption occurs.

KQL Query

// Dumping of LSASS memory using procdump
DeviceProcessEvents
| where Timestamp > ago(7d)
// Command lines that include "lsass" and -accepteula or -ma flags used in procdump
| where (ProcessCommandLine has "lsass" and (ProcessCommandLine has "-accepteula" or
ProcessCommandLine contains "-ma"))
// Omits possible FPs where the full command is just "procdump.exe lsass"
or (FileName in~ ('procdump.exe','procdump64.exe') and ProcessCommandLine has 'lsass')

Analytic Rule Definition

id: ce3cc53c-14a7-4ee5-95c6-b26cbc01d20b
name: doppelpaymer-procdump
description: |
  This query was originally published in the threat analytics report, Doppelpaymer: More human-operated ransomware. There is also a related blog.
  DoppelPaymer is ransomware that is spread manually by human operators. These operators have exhibited extensive knowledge of system administration and common network security misconfigurations. For example, they use SysInternal utilities such as ProcDump to dump credentials from LSASS. They often use these stolen credentials to turn off security software, run malicious commands, and spread malware throughout an organization.
  The following query detects ProcDump being used to dump credentials from LSASS.
  The See also section below lists links to other queries associated with DoppelPaymer.
  References:
  https://msrc-blog.microsoft.com/2019/11/20/customer-guidance-for-the-dopplepaymer-ransomware/
  https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/DoppelPaymer!MTB&threatId=-2147205372
  https://docs.microsoft.com/sysinternals/downloads/procdump
  https://docs.microsoft.com/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
tactics:
- Credential Access
query: |
  // Dumping of LSASS memory using procdump
  DeviceProcessEvents
  | where Timestamp > ago(7d)
  // Command lines that include "lsass" and -accepteula or -ma flags used in procdump
  | where (ProcessCommandLine has "lsass" and (ProcessCommandLine has "-accepteula" or
  ProcessCommandLine contains "-ma"))
  // Omits possible FPs where the full command is just "procdump.exe lsass"
  or (FileName in~ ('procdump.exe','procdump64.exe') and ProcessCommandLine has 'lsass')

Required Data Sources

Sentinel TableNotes
DeviceProcessEventsEnsure this data connector is enabled

MITRE ATT&CK Context

References

False Positive Guidance

Original source: https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Credential Access/doppelpaymer-procdump.yaml