I made a quick an dirty detection script within incident response that searches a bit deeper for LSASS dumps and other artefacts from attackers.
It is kinda quick and dirty so use at youre own risk.
It had a detection for Exchange path installed however i dont use it anymore. Ignore it and just choose C:\Temp\
Command Line Arguments:
–fileTypeMustMatch Enforces that all checks are only performed if the expected file type (Executable, Driver, MEMDump is matched)
–fileSizeCheck Checks if a given file can be what we want based on predefined sizes for given type.
–customHashValuesFile Takes a list of custom SHA-1 OR SHA-256 hash values and searches either in basic or in folder mode for these hashes
Not locking exchange files anymore – previous version might create race conditions.
Exchange Breach detection