This note documents detection patterns related to LSASS Dumping within Windows environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Sysmon | 10 | Process access | Critical | Primary signal for LSASS handle access and dump preparation. |
| Security | 4688 | Process creation | Critical | Detects dump tooling and command-line arguments. |
| Sysmon | 1 | Process creation | Critical | Best execution source for dump tools and parent lineage. |
| Sysmon | 11 | File create | Critical | Captures dump files (.dmp, .tmp, renamed outputs). |
| Security | 4673 | Sensitive privilege use attempted | High | Often shows SeDebugPrivilege usage. |
| Security | 4674 | Privileged object operation | High | Sensitive process interaction. |
| Sysmon | 7 | Image loaded | Medium | Useful when dump libraries load unexpectedly. |
| Security | 4656 | Handle requested | High | LSASS object handle requests if auditing enabled. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Access to lsass.exe with high rights | 0x1fffff, 0x1010, 0x1410 | Critical | Strong dump indicator. |
| Dump file in Temp/AppData | .dmp outside admin workflow | Critical | Common attacker staging. |
| Procdump / rundll32 / comsvcs usage | Known dump methods | Critical | Common offensive chain. |
| Silent dump then archive | Dump followed by zip/7z | Critical | Exfil preparation. |
| LSASS access by unsigned binary | Non-standard process opens LSASS | Critical | Very strong malicious signal. |
| Service context dump | SYSTEM process dump | High | Persistence-linked credential theft. |
Common Tools
| Tool | Usage |
|---|---|
| procdump.exe | LSASS memory dump |
| rundll32.exe | comsvcs.dll MiniDump |
| taskmgr.exe | Manual dump |
| Process Explorer | Dump via GUI |
| mimikatz | Direct credential extraction |
| custom dumpers | Direct API dumping |
| PowerShell | Invoke dump wrappers |
Relevant Artifacts
- Sysmon Event IDs 10, 1, 11
- Security Event IDs 4688, 4673, 4674, 4656
- Dump files:
.dmp.tmp
- Prefetch:
PROCDUMP.EXE,RUNDLL32.EXE,TASKMGR.EXE - Amcache for dump tooling
- ShimCache traces
- MFT / USN for dump file timeline
- EDR handle telemetry
- LSASS access lineage
MITRE ATT&CK References
- T1003.001 LSASS Memory
- T1003 OS Credential Dumping
- T1134 Access Token Manipulation
Decision Tree
-
Which process accessed LSASS?
- Signed?
- Parent process
-
Granted access suspicious?
- Full access
- Read + duplicate
-
Dump file created?
- Path
- Timestamp
- Naming
-
Follow-up activity?
- Archive
- Exfiltration
- Credential parsing
-
Expand:
- SeDebugPrivilege
- Token abuse
- Lateral movement
-
Scope:
- Single dump
- Multiple attempts
- Multi-host pattern
Example Detection Templates
KQL
Sysmon
| where EventID == 10
| where TargetImage has "\\lsass.exe"
| project TimeGenerated, Computer, SourceImage, GrantedAccess
Sysmon
| where EventID == 1
| where CommandLine has_any ("procdump","comsvcs","MiniDump","lsass")
| project TimeGenerated, Computer, User, CommandLine
EQL
process where process.command_line like "*procdump*" or process.command_line like "*MiniDump*"
sequence by host.name with maxspan=5m
[ process where process.name != null ]
[ file where file.extension == "dmp" ]
Sigma
title: LSASS Dumping Detection
id: 3d6c9e70-lsass-dump
status: experimental
description: Detects LSASS dumping activity linked to credential theft
references:
- https://attack.mitre.org/
author: Vergil
date: 2026-03-07
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 10
TargetImage|endswith: '\lsass.exe'
condition: selection
fields:
- SourceImage
- GrantedAccess
falsepositives:
- Security tooling
level: high
tags:
- attack.credential_access
- attack.t1003.001
Splunk
index="main" sourcetype="WinEventLog:*" EventCode=10 TargetImage=*lsass* (GrantedAccess="0x1FFFFF" OR GrantedAccess="0x1010" OR GrantedAccess="0x1410") SourceUser!=*SYSTEM*
| stats count by SourceImage
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| RunAsPPL | Protect LSASS | Critical | Strong anti-dump barrier |
| Sysmon Event 10 | Enable process access logging | Critical | Core visibility |
| Credential Guard | Isolate secrets | Critical | Major reduction in dump value |
| Dump file monitoring | Alert on .dmp creation | High | Strong post-access signal |
| EDR handle analytics | Detect abnormal LSASS opens | Critical | Best real-time coverage |