Detect LSASS Memory in Google Chronicle
Adversaries access credential material stored in the LSASS process memory. After logon, Windows stores credentials (NTLM hashes, Kerberos tickets, plaintext passwords via WDigest) in LSASS. Tools used include Mimikatz, ProcDump, comsvcs.dll MiniDump (rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump), WerFault silent process exit, and Cobalt Strike's sekurlsa module. Used extensively by APT1, APT33, OilRig, HAFNIUM, Volt Typhoon, NotPetya, Cobalt Strike operators, and many others. Highest-frequency credential dumping technique observed in the wild.
MITRE ATT&CK
- Tactic
- Credential Access
- Technique
- T1003 OS Credential Dumping
- Sub-technique
- T1003.001 LSASS Memory
- Canonical reference
- https://attack.mitre.org/techniques/T1003/001/
YARA-L Detection Query
rule lsass_credential_dumping_t1003_001 {
meta:
author = "Argus Detection Engineering"
description = "Detects LSASS memory credential dumping via direct process access, comsvcs MiniDump, or ProcDump — T1003.001"
severity = "CRITICAL"
priority = "HIGH"
mitre_attack_tactic = "Credential Access"
mitre_attack_technique = "T1003.001"
reference = "https://attack.mitre.org/techniques/T1003/001/"
created = "2026-04-13"
events:
/* Pattern A: Direct LSASS process access with suspicious access mask */
(
$e1.metadata.event_type = "PROCESS_OPEN"
and $e1.target.process.file.full_path = /(?i).*\\lsass\.exe$/
and not $e1.principal.process.file.full_path = /(?i).*\\(MsMpEng|csrss|services|lsm|svchost|winlogon|wininit|wininit|SecurityHealthService|SenseIR)\.exe$/
and (
$e1.target.resource.attribute.labels["GrantedAccess"] = "0x1fffff" or
$e1.target.resource.attribute.labels["GrantedAccess"] = "0x1f3fff" or
$e1.target.resource.attribute.labels["GrantedAccess"] = "0x143a" or
$e1.target.resource.attribute.labels["GrantedAccess"] = "0x1410" or
$e1.target.resource.attribute.labels["GrantedAccess"] = "0x1010" or
$e1.target.resource.attribute.labels["GrantedAccess"] = "0x40"
)
)
or
/* Pattern B: rundll32 invoking comsvcs.dll MiniDump */
(
$e1.metadata.event_type = "PROCESS_LAUNCH"
and $e1.target.process.file.full_path = /(?i).*\\rundll32\.exe$/
and $e1.target.process.command_line = /(?i).*comsvcs.*MiniDump.*/
)
or
/* Pattern C: ProcDump targeting lsass */
(
$e1.metadata.event_type = "PROCESS_LAUNCH"
and $e1.target.process.file.full_path = /(?i).*\\procdump(64)?\.exe$/
and $e1.target.process.command_line = /(?i).*lsass.*/
)
condition:
$e1
}Google Chronicle YARA-L 2.0 rule detecting LSASS credential dumping (T1003.001) across three attack patterns: direct process memory access with high-privilege access masks (Mimikatz, Cobalt Strike), comsvcs.dll MiniDump via rundll32, and ProcDump/ProcDump64 targeting lsass. Uses UDM event model for PROCESS_OPEN and PROCESS_LAUNCH event types.
Data Sources
Required Tables
False Positives & Tuning
- Security health monitoring services (SecurityHealthService.exe, SenseIR.exe) not covered by the exclusion list that perform legitimate LSASS reads on newer Windows builds — review UDM principal fields for process lineage
- Legitimate Windows debugging tools (e.g., WinDbg, cdb.exe) used by kernel developers on developer workstations — restrict alert scope to server and non-developer endpoints
- Automated memory acquisition during IR investigations using Volatility or similar forensic tools run by the SOC — maintain a list of authorized IR hosts and suppress accordingly
Other platforms for T1003.001
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1LSASS Dump via comsvcs.dll MiniDump (LOLBin)
Expected signal: Sysmon Event ID 1: Process Create for rundll32.exe with CommandLine containing comsvcs.dll MiniDump. Sysmon Event ID 10: ProcessAccess for lsass.exe from rundll32.exe with GrantedAccess=0x1fffff. Sysmon Event ID 11: FileCreate for the .dmp file in C:\Windows\Temp\.
- Test 2LSASS Access via PowerShell Reflection (Mimikatz-Style)
Expected signal: Sysmon Event ID 10: ProcessAccess with TargetImage=lsass.exe, SourceImage=powershell.exe. The GrantedAccess value depends on the access requested by Get-Process. Security Event ID 4656/4663 if process object auditing is enabled.
- Test 3LSASS Dump via ProcDump
Expected signal: Sysmon Event ID 10: ProcessAccess with TargetImage=lsass.exe, SourceImage=procdump.exe, GrantedAccess=0x1fffff. Sysmon Event ID 11: FileCreate for lsass_pd_test.dmp. Sysmon Event ID 1: Process Create for procdump.exe with lsass.exe in CommandLine.
References (7)
- https://attack.mitre.org/techniques/T1003/001/
- https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea
- https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/
- https://www.deepinstinct.com/blog/lsass-memory-dumps-are-stealthier-than-ever-before-part-2
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md
- https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard
- https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection
Unlock Pro Content
Get the full detection package for T1003.001 including response playbook, investigation guide, and atomic red team tests.