This note documents detection patterns related to LSASS Dumping within Active Directory environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 4688 | Process creation | Critical | Look for processes spawning tools capable of dumping LSASS such as procdump.exe, rundll32.exe, comsvcs.dll, taskmgr.exe, or mimikatz. Review CommandLine and ParentProcessName. |
| Security | 4673 | Sensitive privilege used | High | Often appears when SeDebugPrivilege is used to access LSASS memory. |
| Security | 4656 | Handle requested to object | High | Requests for handle access to lsass.exe may indicate memory access attempts. |
| Security | 4663 | Object access | High | File access events when dump files are written to disk. |
| Sysmon | 1 | Process creation | Critical | Identify suspicious command lines referencing LSASS dumping or credential extraction utilities. |
| Sysmon | 10 | Process access | Critical | Direct evidence of a process opening LSASS memory. Review SourceImage, TargetImage, GrantedAccess. |
| Sysmon | 11 | File creation | High | Creation of dump files such as lsass.dmp in temporary directories. |
| Sysmon | 7 | Image loaded | Medium | Loading of dbghelp.dll or comsvcs.dll may indicate memory dumping behavior. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Process accessing LSASS | Non-system process accessing lsass.exe memory | Critical | One of the strongest indicators of credential dumping. |
| Suspicious dump files | Files like lsass.dmp or memory.dmp created in user directories | High | Attackers frequently store dumps before extracting credentials. |
| Execution of credential tools | Execution of mimikatz, procdump, or custom dumpers | Critical | Often detected through process creation logs. |
| Unusual parent-child process chains | Office apps, browsers, or scripts spawning dumping tools | High | Indicates malicious execution chain. |
| Post-dump credential usage | Subsequent logons from accounts found in LSASS memory | Critical | Evidence attacker extracted credentials successfully. |
Common Tools
| Tool | Usage |
|---|---|
| Mimikatz | Extracts credentials directly from LSASS memory. |
| ProcDump | Used to create LSASS memory dumps for offline analysis. |
| Rundll32 comsvcs.dll | Built-in method to dump LSASS without external tools. |
| NanoDump | Advanced LSASS dumping tool designed to evade detection. |
| SafetyKatz | Modified Mimikatz implementation used in red team operations. |
| Cobalt Strike | Often used to execute LSASS dumping modules on compromised systems. |
Relevant Artifacts
- Windows Security logs (4688, 4673, 4656, 4663)
- Sysmon logs (1, 10, 11)
- EDR telemetry capturing memory access behavior
- Dump files on disk (lsass.dmp, *.tmp)
- Prefetch artifacts for dumping utilities
- PowerShell logs if dumping executed through scripts
- MFT artifacts showing dump file creation
- Process tree relationships from endpoint monitoring
MITRE ATT&CK References
- T1003 OS Credential Dumping
- T1003.001 LSASS Memory
- T1555 Credentials from Password Stores
- T1078 Valid Accounts
Decision Tree
- Is the suspicious event present?
- Look for Sysmon Event 10 showing process access to lsass.exe.
- What host generated the event?
- Identify compromised workstation or server.
- Is the account expected to perform this action?
- Only system components or security tools normally access LSASS.
- Pivot:
- Source host → analyze executed processes and command lines.
- Account → determine privilege escalation or credential theft.
- Network → check for lateral movement after credential extraction.
- Confirm exploitation
- Investigate if extracted credentials were used for subsequent logons.
Example Detection Templates
KQL
Sysmon
| where EventID == 10
| where TargetImage endswith "lsass.exe"
| project TimeGenerated, Computer, SourceImage, GrantedAccess
SecurityEvent
| where EventID == 4688
| where CommandLine contains "lsass"
| project TimeGenerated, NewProcessName, CommandLine, ParentProcessName
EQL
process where process.name in ("procdump.exe","mimikatz.exe","rundll32.exe")
and process.command_line like "*lsass*"
Sigma
title: LSASS Memory Dump Attempt
id: lsass-dump-detection
status: experimental
description: Detects attempts to dump LSASS memory for credential extraction
logsource:
product: windows
category: process_access
detection:
selection:
TargetImage: "*lsass.exe"
condition: selection
fields:
- SourceImage
- TargetImage
- GrantedAccess
falsepositives:
- Legitimate security tools
- Endpoint protection software
level: critical
tags:
- attack.credential_access
- attack.t1003.001
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| LSA Protection | Enable RunAsPPL (LSA Protection) | High | Prevents unauthorized access to LSASS memory. |
| Credential Guard | Enable Windows Defender Credential Guard | High | Isolates LSASS secrets from attackers. |
| EDR protection | Deploy endpoint security monitoring for LSASS access | High | Detects suspicious memory access attempts. |
| Least privilege | Restrict debug privileges to administrators | Medium | Reduces ability to access LSASS memory. |
| Monitoring | Alert on Sysmon Event 10 targeting lsass.exe | High | Early detection of credential dumping attempts. |