THREAT-CredentialDump-LSASS

LSASS Credential Dumping via Memory Access

LSASS (Local Security Authority Subsystem Service) process memory dumping remains the primary credential theft technique across ransomware operators and APT groups. Attackers access LSASS memory to extract NTLM hashes, Kerberos tickets, and cleartext credentials of all users who have recently authenticated to the system. Common tools: Mimikatz (sekurlsa::logonpasswords, lsadump::sam), ProcDump (procdump -ma lsass.exe), Task Manager dump, comsvcs.dll MiniDump via rundll32, and custom loaders. All documented ransomware groups (Akira, Black Basta, LockBit) use credential dumping to escalate from standard user to domain admin. Detection prioritises the MiniDump-via-rundll32 technique (stealthy, LOL-binary) and ProcDump which are most prevalent. NCSC UK's 2025 ransomware guidance specifically calls out LSASS dumping as a critical detection opportunity in the pre-ransomware kill chain.

Microsoft Sentinel / Defender

kusto

// THREAT: LSASS Credential Dumping (T1003.001)
// Detects memory dumping of lsass.exe via multiple methods

// Alert 1: MiniDump via rundll32.exe + comsvcs.dll (LOL technique)
let LolDump = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "rundll32.exe"
| where ProcessCommandLine has_all ("comsvcs", "MiniDump") or
      ProcessCommandLine has_all ("comsvcs", "#24") or // #24 is MiniDump ordinal
      (ProcessCommandLine has "lsass" and ProcessCommandLine has "dump")
| extend DumpMethod = "rundll32_comsvcs_MiniDump"
| extend RiskScore = 95;
// Alert 2: ProcDump targeting lsass
let ProcDump = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("procdump.exe", "procdump64.exe")
| where ProcessCommandLine has "lsass" or ProcessCommandLine has "-ma"
| extend DumpMethod = "ProcDump_LSASS"
| extend RiskScore = 90;
// Alert 3: Direct process handle to lsass (non-whitelisted)
let DirectHandle = DeviceEvents
| where Timestamp > ago(24h)
| where ActionType =~ "ProcessPrimaryTokenModified" or ActionType =~ "CreateRemoteThreadApiCall"
| where FileName =~ "lsass.exe"
| where InitiatingProcessFileName !in~ (
    "svchost.exe", "wininit.exe", "system", "lsm.exe",
    "csrss.exe", "SecurityHealthService.exe"
  )
| extend DumpMethod = "LSASS_DirectHandle"
| extend RiskScore = 85;
// Alert 4: Suspicious file creation of .dmp files
let DmpFile = DeviceFileEvents
| where Timestamp > ago(24h)
| where FileName endswith ".dmp" or FileName endswith ".mdmp"
| where FolderPath has_any ("Temp", "tmp", "ProgramData", "Users", "Public")
    and FolderPath !has "WER" and FolderPath !has "Crash"
| where InitiatingProcessFileName !in~ (
    "werfault.exe", "werFaultSecure.exe", "msdtc.exe", "drwtsn32.exe"
  )
| extend DumpMethod = "DumpFile_SuspiciousLocation"
| extend RiskScore = 80;
union LolDump, ProcDump, DirectHandle, DmpFile
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
    InitiatingProcessFileName, DumpMethod, RiskScore
| sort by RiskScore desc, Timestamp desc

critical severity high confidence

Data Sources

Microsoft Defender for Endpoint (DeviceProcessEvents, DeviceEvents, DeviceFileEvents) Sysmon Event ID 1, 10, 11 Windows Security Event Log (Event ID 4656, 10)

Required Tables

DeviceProcessEvents DeviceEvents DeviceFileEvents

False Positives

Windows Error Reporting (WER/werfault.exe) creating process dumps for crashed applications
Security products (CrowdStrike, SentinelOne, Defender) accessing LSASS for legitimate monitoring
Authorised penetration testers using Mimikatz or ProcDump during red team exercises
System administrator creating diagnostic dumps for debugging authentication issues
Dr. Watson (drwtsn32.exe) or other diagnostic utilities creating process dumps

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
(
  (
    EventCode=1
    Image="*\\rundll32.exe"
    (CommandLine="*comsvcs*" AND (CommandLine="*MiniDump*" OR CommandLine="*#24*" OR CommandLine="*lsass*"))
  )
  OR
  (
    EventCode=1
    (Image="*\\procdump.exe" OR Image="*\\procdump64.exe")
    (CommandLine="*lsass*" OR CommandLine="*-ma*")
  )
  OR
  (
    EventCode=10
    TargetImage="*\\lsass.exe"
    NOT (SourceImage="*\\svchost.exe" OR SourceImage="*\\wininit.exe" OR
         SourceImage="*\\lsm.exe" OR SourceImage="*\\csrss.exe" OR
         SourceImage="*\\SecurityHealthService.exe" OR SourceImage="*\\MsMpEng.exe" OR
         SourceImage="*\\SenseIR.exe" OR SourceImage="*\\MsSense.exe" OR
         SourceImage="*\\CSFalconService.exe" OR SourceImage="*\\SentinelAgent.exe")
  )
  OR
  (
    EventCode=11
    (TargetFilename="*.dmp" OR TargetFilename="*.mdmp")
    NOT (Image="*\\werfault.exe" OR Image="*\\WerFaultSecure.exe" OR Image="*\\drwtsn32.exe")
    (TargetFilename="*Temp*" OR TargetFilename="*ProgramData*" OR TargetFilename="*Users*" OR TargetFilename="*Public*")
  )
)
| eval DumpMethod=case(
    EventCode=1 AND match(Image, "(?i)rundll32") AND match(CommandLine, "(?i)(comsvcs|MiniDump|#24)"),
    "rundll32_comsvcs_MiniDump",
    EventCode=1 AND match(Image, "(?i)procdump"),
    "ProcDump_LSASS",
    EventCode=10 AND match(TargetImage, "(?i)lsass"),
    "LSASS_ProcessAccess",
    EventCode=11 AND (match(TargetFilename, "(?i)\.dmp") OR match(TargetFilename, "(?i)\.mdmp")),
    "DumpFile_Created",
    true(), "Other"
  )
| eval RiskScore=case(
    DumpMethod="rundll32_comsvcs_MiniDump", 95,
    DumpMethod="ProcDump_LSASS", 90,
    DumpMethod="LSASS_ProcessAccess", 85,
    DumpMethod="DumpFile_Created", 80,
    true(), 50
  )
| stats count AS Events, values(DumpMethod) AS Methods, max(RiskScore) AS MaxRisk
  BY host, User, _time span=30m
| eval ThreatActors="Akira, Black Basta, LockBit, Scattered Spider"
| sort - MaxRisk

critical severity high confidence

Data Sources

Sysmon via Windows Event Log Microsoft Defender for Endpoint

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Windows Error Reporting creating crash dumps
Security products (MsMpEng, CSFalconService, SentinelAgent) accessing LSASS
Authorised red team activity during scheduled exercises

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  logsourcename(logsourceid) AS LogSource,
  "sourceip" AS HostIP,
  "username" AS AccountName,
  "URL" AS ProcessImage,
  "PostNATSourcePort" AS EventCode,
  CASE
    WHEN "URL" ILIKE '%rundll32%' AND ("destinationip" ILIKE '%comsvcs%' OR QIDNAME(qid) ILIKE '%MiniDump%') THEN 'rundll32_comsvcs_MiniDump'
    WHEN "URL" ILIKE '%procdump%' THEN 'ProcDump_LSASS'
    WHEN QIDNAME(qid) ILIKE '%lsass%' AND CATEGORYNAME(category) ILIKE '%process access%' THEN 'LSASS_ProcessAccess'
    WHEN CATEGORYNAME(category) ILIKE '%file create%' AND ("filename" ILIKE '%.dmp' OR "filename" ILIKE '%.mdmp') THEN 'DumpFile_Created'
    ELSE 'Unknown'
  END AS DumpMethod,
  CASE
    WHEN "URL" ILIKE '%rundll32%' AND QIDNAME(qid) ILIKE '%MiniDump%' THEN 95
    WHEN "URL" ILIKE '%procdump%' THEN 90
    WHEN QIDNAME(qid) ILIKE '%lsass%' THEN 85
    ELSE 80
  END AS RiskScore
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (12, 13, 229)
  AND starttime > NOW() - 86400000
  AND (
    (
      QIDNAME(qid) ILIKE '%process create%'
      AND "URL" ILIKE '%rundll32.exe%'
      AND (
        ("commandline" ILIKE '%comsvcs%' AND ("commandline" ILIKE '%MiniDump%' OR "commandline" ILIKE '%#24%'))
        OR ("commandline" ILIKE '%lsass%' AND "commandline" ILIKE '%dump%')
      )
    )
    OR (
      QIDNAME(qid) ILIKE '%process create%'
      AND ("URL" ILIKE '%procdump.exe%' OR "URL" ILIKE '%procdump64.exe%')
      AND ("commandline" ILIKE '%lsass%' OR "commandline" ILIKE '%-ma%')
    )
    OR (
      QIDNAME(qid) ILIKE '%process access%'
      AND "targetprocessname" ILIKE '%lsass.exe%'
      AND "URL" NOT ILIKE '%svchost.exe%'
      AND "URL" NOT ILIKE '%wininit.exe%'
      AND "URL" NOT ILIKE '%lsm.exe%'
      AND "URL" NOT ILIKE '%csrss.exe%'
      AND "URL" NOT ILIKE '%MsMpEng.exe%'
      AND "URL" NOT ILIKE '%SentinelAgent.exe%'
    )
    OR (
      QIDNAME(qid) ILIKE '%file create%'
      AND ("filename" ILIKE '%.dmp' OR "filename" ILIKE '%.mdmp')
      AND ("filepath" ILIKE '%Temp%' OR "filepath" ILIKE '%ProgramData%' OR "filepath" ILIKE '%Users%' OR "filepath" ILIKE '%Public%')
      AND "URL" NOT ILIKE '%werfault.exe%'
      AND "URL" NOT ILIKE '%drwtsn32.exe%'
    )
  )
ORDER BY RiskScore DESC, starttime DESC

critical severity medium confidence

Data Sources

IBM QRadar SIEM Windows Sysmon (QRadar DSM) Microsoft Windows Security Event Log

Required Tables

events

False Positives

Legitimate system administration use of ProcDump for capturing crash dumps of lsass.exe during active troubleshooting of authentication issues
Security software (EDR agents, AV) that regularly access lsass.exe memory space for protection and monitoring — review SourceImage whitelisting
Windows Error Reporting creating .dmp files in temp directories following application or service crashes unrelated to credential access

Sumo Logic CSE

sql

_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*endpoint*
| where _sourceName matches "*Sysmon*" or _sourceName matches "*Security*" or _sourceName matches "*WinEventLog*"
| parse "<EventID>*</EventID>" as EventCode nodrop
| parse "<Image>*</Image>" as ProcessImage nodrop
| parse "<CommandLine>*</CommandLine>" as CommandLine nodrop
| parse "<TargetImage>*</TargetImage>" as TargetImage nodrop
| parse "<TargetFilename>*</TargetFilename>" as TargetFilename nodrop
| parse "<User>*</User>" as AccountUser nodrop
| parse "<Computer>*</Computer>" as HostName nodrop
| parse "<SourceImage>*</SourceImage>" as SourceImage nodrop
| where (
    (
      EventCode = "1"
      and ProcessImage matches "*rundll32.exe*"
      and (
        (CommandLine matches "*comsvcs*" and (CommandLine matches "*MiniDump*" or CommandLine matches "*#24*"))
        or (CommandLine matches "*lsass*" and CommandLine matches "*dump*")
      )
    )
    or (
      EventCode = "1"
      and (ProcessImage matches "*procdump.exe*" or ProcessImage matches "*procdump64.exe*")
      and (CommandLine matches "*lsass*" or CommandLine matches "*-ma*")
    )
    or (
      EventCode = "10"
      and TargetImage matches "*lsass.exe*"
      and not (SourceImage matches "*svchost.exe*" or SourceImage matches "*wininit.exe*"
        or SourceImage matches "*lsm.exe*" or SourceImage matches "*csrss.exe*"
        or SourceImage matches "*SecurityHealthService.exe*" or SourceImage matches "*MsMpEng.exe*"
        or SourceImage matches "*SenseIR.exe*" or SourceImage matches "*MsSense.exe*"
        or SourceImage matches "*SentinelAgent.exe*" or SourceImage matches "*CSFalconService.exe*")
    )
    or (
      EventCode = "11"
      and (TargetFilename matches "*.dmp" or TargetFilename matches "*.mdmp")
      and (TargetFilename matches "*Temp*" or TargetFilename matches "*ProgramData*"
        or TargetFilename matches "*Users*" or TargetFilename matches "*Public*")
      and not (ProcessImage matches "*werfault.exe*" or ProcessImage matches "*WerFaultSecure.exe*"
        or ProcessImage matches "*drwtsn32.exe*")
    )
  )
| if (EventCode = "1" and ProcessImage matches "*rundll32*" and CommandLine matches "*comsvcs*",
    "rundll32_comsvcs_MiniDump",
    if (EventCode = "1" and (ProcessImage matches "*procdump*"),
      "ProcDump_LSASS",
      if (EventCode = "10" and TargetImage matches "*lsass*",
        "LSASS_ProcessAccess",
        if (EventCode = "11" and (TargetFilename matches "*.dmp" or TargetFilename matches "*.mdmp"),
          "DumpFile_Created", "Other")))) as DumpMethod
| if (DumpMethod = "rundll32_comsvcs_MiniDump", 95,
    if (DumpMethod = "ProcDump_LSASS", 90,
      if (DumpMethod = "LSASS_ProcessAccess", 85, 80))) as RiskScore
| count as Events by HostName, AccountUser, DumpMethod, RiskScore
| sort by RiskScore desc

critical severity high confidence

Data Sources

Sumo Logic Cloud SIEM Windows Sysmon via Sumo Logic Collector Windows Security Event Logs

Required Tables

_sourceCategory=*windows* _sourceCategory=*sysmon*

False Positives

Security operations teams running ProcDump as part of authorized forensic investigations or incident response on compromised hosts
Enterprise monitoring agents (CrowdStrike Falcon, SentinelOne, Microsoft Defender) performing routine lsass inspection — extend SourceImage exclusions as needed
Application crash dump collection by Windows Error Reporting generating .dmp files in %TEMP% or AppData during legitimate application failures

Google Chronicle / SecOps

yaral

rule lsass_credential_dumping_multi_method {
  meta:
    author = "df00tech Detection Engineering"
    description = "Detects LSASS credential dumping via rundll32/comsvcs MiniDump, ProcDump, direct process access, and dump file creation"
    severity = "CRITICAL"
    priority = "HIGH"
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1003.001"
    reference = "https://attack.mitre.org/techniques/T1003/001/"
    threat_actors = "Akira, Black Basta, LockBit, Scattered Spider"

  events:
    (
      // Method 1: rundll32 + comsvcs MiniDump (LOL technique)
      (
        $e1.metadata.event_type = "PROCESS_LAUNCH"
        and re.regex($e1.principal.process.file.full_path, `(?i)rundll32\.exe`)
        and (
          (
            re.regex($e1.target.process.command_line, `(?i)comsvcs`) and
            re.regex($e1.target.process.command_line, `(?i)(MiniDump|#24)`)
          ) or
          (
            re.regex($e1.target.process.command_line, `(?i)lsass`) and
            re.regex($e1.target.process.command_line, `(?i)dump`)
          )
        )
      )
      or
      // Method 2: ProcDump targeting lsass
      (
        $e1.metadata.event_type = "PROCESS_LAUNCH"
        and re.regex($e1.target.process.file.full_path, `(?i)procdump(64)?\.exe`)
        and (
          re.regex($e1.target.process.command_line, `(?i)lsass`) or
          re.regex($e1.target.process.command_line, `(?i)-ma`)
        )
      )
      or
      // Method 3: Process access to lsass from suspicious source
      (
        $e1.metadata.event_type = "PROCESS_OPEN"
        and re.regex($e1.target.process.file.full_path, `(?i)lsass\.exe`)
        and not re.regex($e1.principal.process.file.full_path, `(?i)(svchost|wininit|lsm|csrss|SecurityHealthService|MsMpEng|SenseIR|MsSense|SentinelAgent|CSFalconService)\.exe`)
      )
      or
      // Method 4: Suspicious .dmp/.mdmp file creation
      (
        $e1.metadata.event_type = "FILE_CREATION"
        and re.regex($e1.target.file.full_path, `(?i)\.(dmp|mdmp)$`)
        and re.regex($e1.target.file.full_path, `(?i)(Temp|tmp|ProgramData|Users|Public)`)
        and not re.regex($e1.target.file.full_path, `(?i)(WER|Crash)`)
        and not re.regex($e1.principal.process.file.full_path, `(?i)(werfault|WerFaultSecure|drwtsn32|msdtc)\.exe`)
      )
    )

  condition:
    $e1
}

critical severity high confidence

Data Sources

Google Chronicle SIEM Windows Event Logs via Chronicle forwarder Sysmon via Chronicle ingestion

Required Tables

PROCESS_LAUNCH PROCESS_OPEN FILE_CREATION

False Positives

Authorized red team or penetration testing exercises using standard credential dumping tools as part of a scoped engagement — coordinate with security team for time-based exclusions
Vendor-supplied diagnostic utilities that create process memory dumps of lsass.exe for authentication troubleshooting on domain controllers
Windows kernel and system dump operations triggered by BSOD or kernel crash events generating .dmp files in accessible paths before WER moves them

CrowdStrike LogScale (CQL)

cql

// LSASS Credential Dumping Detection — CrowdStrike LogScale (Falcon)
// Method 1: rundll32 + comsvcs MiniDump
#event_simpleName=ProcessRollup2
| ImageFileName = /rundll32\.exe/i
| CommandLine = /comsvcs/i
| CommandLine = /(MiniDump|#24|lsass.*dump)/i
| DumpMethod := "rundll32_comsvcs_MiniDump"
| RiskScore := 95

// Union with Method 2: ProcDump
| union [
  #event_simpleName=ProcessRollup2
  | ImageFileName = /(procdump|procdump64)\.exe/i
  | CommandLine = /(lsass|-ma)/i
  | DumpMethod := "ProcDump_LSASS"
  | RiskScore := 90
]

// Union with Method 3: Process injection/access targeting lsass
| union [
  #event_simpleName=ProcessRollup2
  | TargetProcessId != null
  | TargetImageFileName = /lsass\.exe/i
  | ImageFileName != /(svchost|wininit|lsm|csrss|SecurityHealthService|MsMpEng|SenseIR|MsSense|SentinelAgent|CSFalconService)\.exe/i
  | DumpMethod := "LSASS_ProcessAccess"
  | RiskScore := 85
]

// Union with Method 4: .dmp/.mdmp file creation in suspicious paths
| union [
  #event_simpleName=PeFileWritten OR #event_simpleName=SuspiciousFileWrite
  | TargetFileName = /\.(dmp|mdmp)$/i
  | TargetFileName = /(Temp|tmp|ProgramData|Users|Public)/i
  | TargetFileName != /(WER|Crash)/i
  | ImageFileName != /(werfault|WerFaultSecure|drwtsn32|msdtc)\.exe/i
  | DumpMethod := "DumpFile_Created"
  | RiskScore := 80
]

| groupBy([ComputerName, UserName, DumpMethod, RiskScore], function=[
    count(as=EventCount),
    collect([ImageFileName, CommandLine], multival=true, limit=10)
  ])
| ThreatActors := "Akira, Black Basta, LockBit, Scattered Spider"
| sort(RiskScore, order=desc)

critical severity high confidence

Data Sources

CrowdStrike Falcon EDR CrowdStrike Falcon LogScale Falcon Sensor process telemetry

Required Tables

ProcessRollup2 PeFileWritten SuspiciousFileWrite

False Positives

CrowdStrike Falcon sensor itself (CSFalconService.exe) accessing lsass.exe — already excluded but verify CSFalconService is in the exclusion regex for your environment
Legitimate sysadmin use of ProcDump or Task Manager dump feature during authorized incident response or debugging sessions on servers experiencing authentication failures
Third-party PAM (Privileged Access Management) solutions that periodically access LSASS to rotate credentials or validate password policy compliance

Last updated: 2026-04-25 Research depth: deep

References (5)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for THREAT-CredentialDump-LSASS including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

LSASS Credential Dumping via Memory Access

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Same Tactic: Credential Access

Popular Detections