T1003.001 IBM QRadar · QRadar

Detect LSASS Memory in IBM QRadar

Adversaries access credential material stored in the LSASS process memory. After logon, Windows stores credentials (NTLM hashes, Kerberos tickets, plaintext passwords via WDigest) in LSASS. Tools used include Mimikatz, ProcDump, comsvcs.dll MiniDump (rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump), WerFault silent process exit, and Cobalt Strike's sekurlsa module. Used extensively by APT1, APT33, OilRig, HAFNIUM, Volt Typhoon, NotPetya, Cobalt Strike operators, and many others. Highest-frequency credential dumping technique observed in the wild.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1003 OS Credential Dumping
Sub-technique
T1003.001 LSASS Memory
Canonical reference
https://attack.mitre.org/techniques/T1003/001/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  username,
  sourceip,
  QIDNAME(qid) AS event_name,
  "SourceImage",
  "TargetImage",
  "CommandLine",
  "GrantedAccess"
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) = 12 /* Microsoft Windows Security Event Log / Sysmon */
  AND (
    (
      /* Sysmon EID 10: LSASS process access with high-privilege access masks */
      qid = 5001010 /* Sysmon ProcessAccess */
      AND "TargetImage" ILIKE '%lsass.exe'
      AND "SourceImage" NOT ILIKE '%MsMpEng.exe'
      AND "SourceImage" NOT ILIKE '%csrss.exe'
      AND "SourceImage" NOT ILIKE '%services.exe'
      AND "SourceImage" NOT ILIKE '%lsm.exe'
      AND "SourceImage" NOT ILIKE '%svchost.exe'
      AND "SourceImage" NOT ILIKE '%winlogon.exe'
      AND "SourceImage" NOT ILIKE '%wininit.exe'
      AND "SourceImage" NOT ILIKE '%SecurityHealthService.exe'
      AND (
        "GrantedAccess" IN ('0x1fffff', '0x1f3fff', '0x143a', '0x1410', '0x1010', '0x40')
      )
    )
    OR
    (
      /* Sysmon EID 1: rundll32 comsvcs MiniDump or procdump against lsass */
      qid = 5001001 /* Sysmon ProcessCreate */
      AND (
        (
          "Image" ILIKE '%rundll32.exe'
          AND "CommandLine" ILIKE '%comsvcs%'
          AND "CommandLine" ILIKE '%MiniDump%'
        )
        OR
        (
          ("Image" ILIKE '%procdump.exe' OR "Image" ILIKE '%procdump64.exe')
          AND "CommandLine" ILIKE '%lsass%'
        )
      )
    )
  )
  AND starttime > NOW() - 86400000
ORDER BY starttime DESC
LIMIT 500
critical severity high confidence

Detects LSASS credential dumping in IBM QRadar via Sysmon process access events (EID 10) with suspicious access masks against lsass.exe, and process creation events (EID 1) for comsvcs MiniDump via rundll32 or ProcDump targeting lsass. Filters out known legitimate processes to reduce noise.

Data Sources

Sysmon via Windows Event LogMicrosoft Windows Security Event Log

Required Tables

events

False Positives & Tuning

  • Windows Task Manager running as administrator may legitimately access LSASS memory during process inspection — validate against user role and time of access
  • Legitimate memory forensics tools used by the security team (e.g., WinPmem, Volatility acquisition) — maintain an allowlist of authorized forensics hosts
  • SQL Server sqldumper.exe accessing LSASS during SQL dump operations on database servers — correlate with SQL Server activity on known DB hosts
Download portable Sigma rule (.yml)

Other platforms for T1003.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1LSASS Dump via comsvcs.dll MiniDump (LOLBin)

    Expected signal: Sysmon Event ID 1: Process Create for rundll32.exe with CommandLine containing comsvcs.dll MiniDump. Sysmon Event ID 10: ProcessAccess for lsass.exe from rundll32.exe with GrantedAccess=0x1fffff. Sysmon Event ID 11: FileCreate for the .dmp file in C:\Windows\Temp\.

  2. Test 2LSASS Access via PowerShell Reflection (Mimikatz-Style)

    Expected signal: Sysmon Event ID 10: ProcessAccess with TargetImage=lsass.exe, SourceImage=powershell.exe. The GrantedAccess value depends on the access requested by Get-Process. Security Event ID 4656/4663 if process object auditing is enabled.

  3. Test 3LSASS Dump via ProcDump

    Expected signal: Sysmon Event ID 10: ProcessAccess with TargetImage=lsass.exe, SourceImage=procdump.exe, GrantedAccess=0x1fffff. Sysmon Event ID 11: FileCreate for lsass_pd_test.dmp. Sysmon Event ID 1: Process Create for procdump.exe with lsass.exe in CommandLine.

Last updated: 2026-04-13 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1003.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1003OS Credential Dumping

Related Sub-techniques

T1003.002Security Account ManagerT1003.003NTDST1003.004LSA SecretsT1003.005Cached Domain CredentialsT1003.006DCSyncT1003.007Proc FilesystemT1003.008/etc/passwd and /etc/shadow

Related Techniques

T1003OS Credential DumpingT1003.002Security Account ManagerT1550.002Pass the HashT1550.003Pass the TicketT1059.001PowerShellT1546.012Image File Execution Options Injection

Same Tactic: Credential Access

Popular Detections