T1003.001 LSASS Memory Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let LsassAccessTools = dynamic([
  "procdump", "procdump64", "mimikatz", "mimilib", "wce", "gsecdump",
  "lsass.exe", "sqldumper", "werfault", "taskmgr"
]);
let SuspiciousLsassAccess = DeviceEvents
| where Timestamp > ago(24h)
| where ActionType == "ProcessAccessed"
| where FileName =~ "lsass.exe"
| where InitiatingProcessFileName !in~ (
    "MsMpEng.exe", "csrss.exe", "services.exe", "lsm.exe",
    "svchost.exe", "winlogon.exe", "wmiprvse.exe", "wininit.exe",
    "SecurityHealthService.exe", "SenseIR.exe"
  )
| where InitiatingProcessGrantedAccessMask in (
    "0x1fffff", "0x1f3fff", "0x143a", "0x1410", "0x1010", "0x40"
  )
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine,
          InitiatingProcessAccountName, InitiatingProcessGrantedAccessMask;
let ComsvcsMinidump = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "rundll32.exe"
| where ProcessCommandLine has_all ("comsvcs.dll", "MiniDump")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine;
let ProcDumpLsass = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("procdump.exe", "procdump64.exe")
| where ProcessCommandLine has "lsass"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine;
union SuspiciousLsassAccess, ComsvcsMinidump, ProcDumpLsass
| sort by Timestamp desc

critical severity high confidence

Data Sources

Process: Process Access Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceEvents DeviceProcessEvents

False Positives

EDR agents (CrowdStrike, Carbon Black, Cylance) that legitimately access LSASS for memory scanning — these should be in the process exclusion list
Windows Error Reporting (WerFault.exe) creating crash dumps when LSASS encounters an error
IT administrators using Task Manager to create LSASS dump for legitimate debugging purposes
Sysinternals ProcDump used by operations teams for authorized crash dump collection

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=10
  TargetImage="*\\lsass.exe"
  NOT (SourceImage="*\\MsMpEng.exe" OR SourceImage="*\\csrss.exe" OR SourceImage="*\\services.exe"
    OR SourceImage="*\\lsm.exe" OR SourceImage="*\\svchost.exe" OR SourceImage="*\\winlogon.exe"
    OR SourceImage="*\\wininit.exe" OR SourceImage="*\\SecurityHealthService.exe")
| eval HighAccess=if(match(GrantedAccess, "^0x(1[fF][3f][fF]{3}|1[fF][fF]{4}|143[aA]|1[04][01][0a0])"), 1, 0)
| where HighAccess=1
| table _time, host, SourceImage, SourceCommandLine, GrantedAccess, SourceUser
| sort - _time
| append
  [search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
   ((Image="*\\rundll32.exe" CommandLine="*comsvcs*" CommandLine="*MiniDump*")
    OR (Image="*\\procdump*.exe" CommandLine="*lsass*"))
  | eval DetectionType=case(
      match(CommandLine, "comsvcs"), "ComsvcsMinidump",
      match(Image, "procdump"), "ProcDumpLsass",
      1==1, "Other"
    )
  | table _time, host, Image, CommandLine, User, DetectionType]

critical severity high confidence

Data Sources

Process: Process Access Process: Process Creation Sysmon Event ID 10 Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

EDR agent processes performing LSASS memory inspection
Antivirus software accessing LSASS for behavioral monitoring
Windows Defender accessing LSASS during AMSI scanning
Legitimate administrator ProcDump usage with authorized change ticket

Elastic Security (EQL)

eql

sequence by host.name with maxspan=5m
  [process where event.type == "start" and
   (
     (process.name : "rundll32.exe" and process.args : "*comsvcs*" and process.args : "*MiniDump*") or
     (process.name : ("procdump.exe", "procdump64.exe") and process.args : "*lsass*") or
     (process.name : ("mimikatz.exe", "mimilib.dll", "wce.exe", "gsecdump.exe"))
   )
  ] by process.pid

any where true

/* Supplemental: direct LSASS process access */
[process where event.type == "access" and
 target.process.name : "lsass.exe" and
 not process.name : (
   "MsMpEng.exe", "csrss.exe", "services.exe", "lsm.exe",
   "svchost.exe", "winlogon.exe", "wmiprvse.exe", "wininit.exe",
   "SecurityHealthService.exe", "SenseIR.exe"
 )
]

critical severity high confidence

Data Sources

Sysmon (EID 1, 10) Windows Security Event Log (EID 4688) Elastic Endpoint

Required Tables

logs-endpoint.events.process-* logs-system.security-* winlogbeat-*

False Positives

Legitimate Windows Error Reporting (WerFault.exe) accessing LSASS during crash reporting — verify process lineage and access mask
Antivirus or EDR solutions (e.g., Defender MsMpEng, CrowdStrike) performing scheduled memory scans — cross-reference against known security tool inventory
Task Manager (taskmgr.exe) opened by an administrator to view process memory — correlate with interactive logon session and user role

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  username,
  sourceip,
  QIDNAME(qid) AS event_name,
  "SourceImage",
  "TargetImage",
  "CommandLine",
  "GrantedAccess"
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) = 12 /* Microsoft Windows Security Event Log / Sysmon */
  AND (
    (
      /* Sysmon EID 10: LSASS process access with high-privilege access masks */
      qid = 5001010 /* Sysmon ProcessAccess */
      AND "TargetImage" ILIKE '%lsass.exe'
      AND "SourceImage" NOT ILIKE '%MsMpEng.exe'
      AND "SourceImage" NOT ILIKE '%csrss.exe'
      AND "SourceImage" NOT ILIKE '%services.exe'
      AND "SourceImage" NOT ILIKE '%lsm.exe'
      AND "SourceImage" NOT ILIKE '%svchost.exe'
      AND "SourceImage" NOT ILIKE '%winlogon.exe'
      AND "SourceImage" NOT ILIKE '%wininit.exe'
      AND "SourceImage" NOT ILIKE '%SecurityHealthService.exe'
      AND (
        "GrantedAccess" IN ('0x1fffff', '0x1f3fff', '0x143a', '0x1410', '0x1010', '0x40')
      )
    )
    OR
    (
      /* Sysmon EID 1: rundll32 comsvcs MiniDump or procdump against lsass */
      qid = 5001001 /* Sysmon ProcessCreate */
      AND (
        (
          "Image" ILIKE '%rundll32.exe'
          AND "CommandLine" ILIKE '%comsvcs%'
          AND "CommandLine" ILIKE '%MiniDump%'
        )
        OR
        (
          ("Image" ILIKE '%procdump.exe' OR "Image" ILIKE '%procdump64.exe')
          AND "CommandLine" ILIKE '%lsass%'
        )
      )
    )
  )
  AND starttime > NOW() - 86400000
ORDER BY starttime DESC
LIMIT 500

critical severity high confidence

Data Sources

Sysmon via Windows Event Log Microsoft Windows Security Event Log

Required Tables

events

False Positives

Windows Task Manager running as administrator may legitimately access LSASS memory during process inspection — validate against user role and time of access
Legitimate memory forensics tools used by the security team (e.g., WinPmem, Volatility acquisition) — maintain an allowlist of authorized forensics hosts
SQL Server sqldumper.exe accessing LSASS during SQL dump operations on database servers — correlate with SQL Server activity on known DB hosts

Sumo Logic CSE

sql

/* LSASS Credential Dumping — T1003.001 */
(_sourceCategory="windows/sysmon" OR _sourceCategory="os/windows/sysmon")
| parse xml
| where EventID in ("1", "10")
| if (EventID="10",
     TargetImage,
     "") as lsass_target
| if (EventID="10",
     SourceImage,
     Image) as exec_image
| if (EventID="10",
     GrantedAccess,
     "") as access_mask
| if (EventID="10",
     SourceCommandLine,
     CommandLine) as cmdline
| if (EventID="10",
     SourceUser,
     User) as actor_user
| where (
    /* EID 10: Direct LSASS access with suspicious mask */
    (EventID = "10"
     AND lsass_target matches "(?i).*lsass\.exe$"
     AND !exec_image matches "(?i).*(MsMpEng|csrss|services|lsm|svchost|winlogon|wininit|SecurityHealthService|SenseIR)\.exe$"
     AND access_mask in ("0x1fffff", "0x1f3fff", "0x143a", "0x1410", "0x1010", "0x40")
    )
    OR
    /* EID 1: comsvcs MiniDump via rundll32 */
    (EventID = "1"
     AND exec_image matches "(?i).*rundll32\.exe$"
     AND cmdline matches "(?i).*comsvcs.*MiniDump.*"
    )
    OR
    /* EID 1: ProcDump targeting lsass */
    (EventID = "1"
     AND exec_image matches "(?i).*procdump(64)?\.exe$"
     AND cmdline matches "(?i).*lsass.*"
    )
  )
| eval detection_type = if(EventID="10", "DirectLsassAccess",
    if(cmdline matches "(?i).*comsvcs.*", "ComsvcsMinidump", "ProcDumpLsass"))
| fields _messageTime, Computer, exec_image, cmdline, actor_user, access_mask, detection_type
| sort by _messageTime desc

critical severity high confidence

Data Sources

Sysmon Windows Event Log (EID 1, 10)

Required Tables

windows/sysmon os/windows/sysmon

False Positives

Windows Defender and other AV products may legitimately access LSASS for real-time protection scanning — validate against known AV process names not in the exclusion list
Legitimate crash dump collection by Windows Error Reporting (WerFault.exe) when LSASS itself crashes — correlate with system stability events and WER configuration
Authorized red team or penetration testing exercises — verify change tickets or authorized testing windows before escalating

Google Chronicle / SecOps

yaral

rule lsass_credential_dumping_t1003_001 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects LSASS memory credential dumping via direct process access, comsvcs MiniDump, or ProcDump — T1003.001"
    severity = "CRITICAL"
    priority = "HIGH"
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1003.001"
    reference = "https://attack.mitre.org/techniques/T1003/001/"
    created = "2026-04-13"

  events:
    /* Pattern A: Direct LSASS process access with suspicious access mask */
    (
      $e1.metadata.event_type = "PROCESS_OPEN"
      and $e1.target.process.file.full_path = /(?i).*\\lsass\.exe$/
      and not $e1.principal.process.file.full_path = /(?i).*\\(MsMpEng|csrss|services|lsm|svchost|winlogon|wininit|wininit|SecurityHealthService|SenseIR)\.exe$/
      and (
        $e1.target.resource.attribute.labels["GrantedAccess"] = "0x1fffff" or
        $e1.target.resource.attribute.labels["GrantedAccess"] = "0x1f3fff" or
        $e1.target.resource.attribute.labels["GrantedAccess"] = "0x143a"  or
        $e1.target.resource.attribute.labels["GrantedAccess"] = "0x1410"  or
        $e1.target.resource.attribute.labels["GrantedAccess"] = "0x1010"  or
        $e1.target.resource.attribute.labels["GrantedAccess"] = "0x40"
      )
    )
    or
    /* Pattern B: rundll32 invoking comsvcs.dll MiniDump */
    (
      $e1.metadata.event_type = "PROCESS_LAUNCH"
      and $e1.target.process.file.full_path = /(?i).*\\rundll32\.exe$/
      and $e1.target.process.command_line = /(?i).*comsvcs.*MiniDump.*/
    )
    or
    /* Pattern C: ProcDump targeting lsass */
    (
      $e1.metadata.event_type = "PROCESS_LAUNCH"
      and $e1.target.process.file.full_path = /(?i).*\\procdump(64)?\.exe$/
      and $e1.target.process.command_line = /(?i).*lsass.*/
    )

  condition:
    $e1
}

critical severity high confidence

Data Sources

Google Chronicle UDM Sysmon via Chronicle forwarder Windows Security Events via Chronicle

Required Tables

UDM Events (PROCESS_OPEN, PROCESS_LAUNCH)

False Positives

Security health monitoring services (SecurityHealthService.exe, SenseIR.exe) not covered by the exclusion list that perform legitimate LSASS reads on newer Windows builds — review UDM principal fields for process lineage
Legitimate Windows debugging tools (e.g., WinDbg, cdb.exe) used by kernel developers on developer workstations — restrict alert scope to server and non-developer endpoints
Automated memory acquisition during IR investigations using Volatility or similar forensic tools run by the SOC — maintain a list of authorized IR hosts and suppress accordingly

CrowdStrike LogScale (CQL)

cql

/* T1003.001 — LSASS Memory Credential Dumping */

/* Pattern 1: Suspicious process accessing LSASS memory (Sysmon-like via CrowdStrike LsassCall events) */
#event_simpleName = "LsassCall"
| TargetProcessImageFileName = /(?i)lsass\.exe/
| SourceProcessImageFileName != /(?i)(MsMpEng|csrss|services|lsm|svchost|winlogon|wininit|SecurityHealthService|SenseIR)\.exe/
| DesiredAccess in ["0x1fffff", "0x1f3fff", "0x143a", "0x1410", "0x1010", "0x40"]
| table([_timeutc, ComputerName, SourceProcessImageFileName, SourceProcessCommandLine, DesiredAccess, UserName])

union

/* Pattern 2: rundll32 executing comsvcs.dll MiniDump */
#event_simpleName = "ProcessRollup2"
| ImageFileName = /(?i)rundll32\.exe/
| CommandLine = /(?i)comsvcs/
| CommandLine = /(?i)MiniDump/
| table([_timeutc, ComputerName, ImageFileName, CommandLine, UserName, SHA256HashData])

union

/* Pattern 3: ProcDump targeting lsass */
#event_simpleName = "ProcessRollup2"
| ImageFileName = /(?i)procdump(64)?\.exe/
| CommandLine = /(?i)lsass/
| table([_timeutc, ComputerName, ImageFileName, CommandLine, UserName, SHA256HashData])

union

/* Pattern 4: Known credential dumping tool names */
#event_simpleName = "ProcessRollup2"
| ImageFileName = /(?i)(mimikatz|mimilib|wce|gsecdump|sqldumper)\.exe/
| table([_timeutc, ComputerName, ImageFileName, CommandLine, UserName, SHA256HashData, MD5HashData])

| sort(field=_timeutc, order=desc)

critical severity high confidence

Data Sources

CrowdStrike Falcon Endpoint (ProcessRollup2, LsassCall) Falcon Data Replicator

Required Tables

LsassCall ProcessRollup2

False Positives

CrowdStrike Falcon sensor itself (CSFalconService, CSAgent) may appear in LsassCall events on endpoints during threat intelligence operations — validate sensor version and exclude known Falcon process names
sqldumper.exe on SQL Server hosts accessing LSASS during legitimate SQL memory dump generation — correlate with SQL Server service activity and restrict alert to non-database server asset groups
Authorized penetration testing tools executed by the internal red team — confirm against change management tickets and limit scope using ComputerName allowlists or asset tags in the query

LSASS Memory

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Credential Access

Popular Detections