Which SIEM platforms have a THREAT-CredentialDump-LSASS detection rule?

df00tech provides THREAT-CredentialDump-LSASS (LSASS Credential Dumping via Memory Access) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What severity and confidence is the THREAT-CredentialDump-LSASS detection?

The THREAT-CredentialDump-LSASS detection is rated critical severity with high confidence.

What are common false positives for THREAT-CredentialDump-LSASS?

Common false positives for THREAT-CredentialDump-LSASS include: Windows Error Reporting (WER/werfault.exe) creating process dumps for crashed applications; Security products (CrowdStrike, SentinelOne, Defender) accessing LSASS for legitimate monitoring; Authorised penetration testers using Mimikatz or ProcDump during red team exercises.

THREAT-CredentialDump-LSASS

LSASS Credential Dumping via Memory Access

Q: What data sources are required to detect LSASS Credential Dumping via Memory Access (THREAT-CredentialDump-LSASS)?

Detecting LSASS Credential Dumping via Memory Access requires the following data sources: Microsoft Defender for Endpoint (DeviceProcessEvents, DeviceEvents, DeviceFileEvents), Sysmon Event ID 1, 10, 11, Windows Security Event Log (Event ID 4656, 10).

Credential Access Last updated: April 25, 2026

LSASS (Local Security Authority Subsystem Service) process memory dumping remains the primary credential theft technique across ransomware operators and APT groups. Attackers access LSASS memory to extract NTLM hashes, Kerberos tickets, and cleartext credentials of all users who have recently authenticated to the system. Common tools: Mimikatz (sekurlsa::logonpasswords, lsadump::sam), ProcDump (procdump -ma lsass.exe), Task Manager dump, comsvcs.dll MiniDump via rundll32, and custom loaders. All documented ransomware groups (Akira, Black Basta, LockBit) use credential dumping to escalate from standard user to domain admin. Detection prioritises the MiniDump-via-rundll32 technique (stealthy, LOL-binary) and ProcDump which are most prevalent. NCSC UK's 2025 ransomware guidance specifically calls out LSASS dumping as a critical detection opportunity in the pre-ransomware kill chain.

What is THREAT-CredentialDump-LSASS LSASS Credential Dumping via Memory Access?

LSASS Credential Dumping via Memory Access (THREAT-CredentialDump-LSASS) maps to the Credential Access tactic — the adversary is trying to steal account names and passwords in MITRE ATT&CK.

This page provides production-ready detection logic for LSASS Credential Dumping via Memory Access, covering the data sources and telemetry it touches: Microsoft Defender for Endpoint (DeviceProcessEvents, DeviceEvents, DeviceFileEvents), Sysmon Event ID 1, 10, 11, Windows Security Event Log (Event ID 4656, 10). The queries below are rated critical severity at high confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic: Credential Access

Microsoft Sentinel / Defender

kusto

// THREAT: LSASS Credential Dumping (T1003.001)
// Detects memory dumping of lsass.exe via multiple methods

// Alert 1: MiniDump via rundll32.exe + comsvcs.dll (LOL technique)
let LolDump = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "rundll32.exe"
| where ProcessCommandLine has_all ("comsvcs", "MiniDump") or
      ProcessCommandLine has_all ("comsvcs", "#24") or // #24 is MiniDump ordinal
      (ProcessCommandLine has "lsass" and ProcessCommandLine has "dump")
| extend DumpMethod = "rundll32_comsvcs_MiniDump"
| extend RiskScore = 95;
// Alert 2: ProcDump targeting lsass
let ProcDump = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("procdump.exe", "procdump64.exe")
| where ProcessCommandLine has "lsass" or ProcessCommandLine has "-ma"
| extend DumpMethod = "ProcDump_LSASS"
| extend RiskScore = 90;
// Alert 3: Direct process handle to lsass (non-whitelisted)
let DirectHandle = DeviceEvents
| where Timestamp > ago(24h)
| where ActionType =~ "ProcessPrimaryTokenModified" or ActionType =~ "CreateRemoteThreadApiCall"
| where FileName =~ "lsass.exe"
| where InitiatingProcessFileName !in~ (
    "svchost.exe", "wininit.exe", "system", "lsm.exe",
    "csrss.exe", "SecurityHealthService.exe"
  )
| extend DumpMethod = "LSASS_DirectHandle"
| extend RiskScore = 85;
// Alert 4: Suspicious file creation of .dmp files
let DmpFile = DeviceFileEvents
| where Timestamp > ago(24h)
| where FileName endswith ".dmp" or FileName endswith ".mdmp"
| where FolderPath has_any ("Temp", "tmp", "ProgramData", "Users", "Public")
    and FolderPath !has "WER" and FolderPath !has "Crash"
| where InitiatingProcessFileName !in~ (
    "werfault.exe", "werFaultSecure.exe", "msdtc.exe", "drwtsn32.exe"
  )
| extend DumpMethod = "DumpFile_SuspiciousLocation"
| extend RiskScore = 80;
union LolDump, ProcDump, DirectHandle, DmpFile
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
    InitiatingProcessFileName, DumpMethod, RiskScore
| sort by RiskScore desc, Timestamp desc

Four-vector LSASS dump detection: (1) rundll32.exe + comsvcs.dll MiniDump — the living-off-the-land LSASS dump technique that avoids dropping Mimikatz; (2) ProcDump targeting lsass.exe; (3) direct process handle or remote thread injection into lsass; (4) .dmp file creation in suspicious temp directories — the output artifact. RiskScore 80-95 based on technique specificity.

critical severity high confidence

Data Sources

Microsoft Defender for Endpoint (DeviceProcessEvents, DeviceEvents, DeviceFileEvents) Sysmon Event ID 1, 10, 11 Windows Security Event Log (Event ID 4656, 10)

Required Tables

DeviceProcessEvents DeviceEvents DeviceFileEvents

False Positives

Windows Error Reporting (WER/werfault.exe) creating process dumps for crashed applications
Security products (CrowdStrike, SentinelOne, Defender) accessing LSASS for legitimate monitoring
Authorised penetration testers using Mimikatz or ProcDump during red team exercises
System administrator creating diagnostic dumps for debugging authentication issues
Dr. Watson (drwtsn32.exe) or other diagnostic utilities creating process dumps

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
(
  (
    EventCode=1
    Image="*\\rundll32.exe"
    (CommandLine="*comsvcs*" AND (CommandLine="*MiniDump*" OR CommandLine="*#24*" OR CommandLine="*lsass*"))
  )
  OR
  (
    EventCode=1
    (Image="*\\procdump.exe" OR Image="*\\procdump64.exe")
    (CommandLine="*lsass*" OR CommandLine="*-ma*")
  )
  OR
  (
    EventCode=10
    TargetImage="*\\lsass.exe"
    NOT (SourceImage="*\\svchost.exe" OR SourceImage="*\\wininit.exe" OR
         SourceImage="*\\lsm.exe" OR SourceImage="*\\csrss.exe" OR
         SourceImage="*\\SecurityHealthService.exe" OR SourceImage="*\\MsMpEng.exe" OR
         SourceImage="*\\SenseIR.exe" OR SourceImage="*\\MsSense.exe" OR
         SourceImage="*\\CSFalconService.exe" OR SourceImage="*\\SentinelAgent.exe")
  )
  OR
  (
    EventCode=11
    (TargetFilename="*.dmp" OR TargetFilename="*.mdmp")
    NOT (Image="*\\werfault.exe" OR Image="*\\WerFaultSecure.exe" OR Image="*\\drwtsn32.exe")
    (TargetFilename="*Temp*" OR TargetFilename="*ProgramData*" OR TargetFilename="*Users*" OR TargetFilename="*Public*")
  )
)
| eval DumpMethod=case(
    EventCode=1 AND match(Image, "(?i)rundll32") AND match(CommandLine, "(?i)(comsvcs|MiniDump|#24)"),
    "rundll32_comsvcs_MiniDump",
    EventCode=1 AND match(Image, "(?i)procdump"),
    "ProcDump_LSASS",
    EventCode=10 AND match(TargetImage, "(?i)lsass"),
    "LSASS_ProcessAccess",
    EventCode=11 AND (match(TargetFilename, "(?i)\.dmp") OR match(TargetFilename, "(?i)\.mdmp")),
    "DumpFile_Created",
    true(), "Other"
  )
| eval RiskScore=case(
    DumpMethod="rundll32_comsvcs_MiniDump", 95,
    DumpMethod="ProcDump_LSASS", 90,
    DumpMethod="LSASS_ProcessAccess", 85,
    DumpMethod="DumpFile_Created", 80,
    true(), 50
  )
| stats count AS Events, values(DumpMethod) AS Methods, max(RiskScore) AS MaxRisk
  BY host, User, _time span=30m
| eval ThreatActors="Akira, Black Basta, LockBit, Scattered Spider"
| sort - MaxRisk

SPL LSASS credential dump detection via Sysmon. Covers four Sysmon event types: Event ID 1 (process creation for rundll32 MiniDump and ProcDump), Event ID 10 (process access to lsass.exe), and Event ID 11 (dump file creation). Excludes known-good security tool accesses (Defender, CrowdStrike, SentinelOne) to reduce false positives.

critical severity high confidence

Data Sources

Sysmon via Windows Event Log Microsoft Defender for Endpoint

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Windows Error Reporting creating crash dumps
Security products (MsMpEng, CSFalconService, SentinelAgent) accessing LSASS
Authorised red team activity during scheduled exercises

Elastic Security (EQL)

eql

sequence by host.name with maxspan=5m
[
  any where (
    (
      event.category == "process" and event.type == "start" and
      process.name : "rundll32.exe" and
      (
        (process.args : "comsvcs*" and (process.args : "*MiniDump*" or process.args : "*#24*")) or
        (process.command_line : "*comsvcs*" and process.command_line : "*MiniDump*") or
        (process.command_line : "*lsass*" and process.command_line : "*dump*")
      )
    ) or
    (
      event.category == "process" and event.type == "start" and
      process.name : ("procdump.exe", "procdump64.exe") and
      (process.command_line : "*lsass*" or process.args : "-ma")
    ) or
    (
      event.category == "process" and event.type == "access" and
      process.name : "lsass.exe" and
      not process.parent.name : ("svchost.exe", "wininit.exe", "lsm.exe", "csrss.exe", "SecurityHealthService.exe", "MsMpEng.exe", "SenseIR.exe", "MsSense.exe")
    ) or
    (
      event.category == "file" and event.type == "creation" and
      (file.extension : "dmp" or file.extension : "mdmp") and
      file.path : ("*\\Temp\\*", "*\\tmp\\*", "*\\ProgramData\\*", "*\\Users\\*", "*\\Public\\*") and
      not process.name : ("werfault.exe", "WerFaultSecure.exe", "drwtsn32.exe", "msdtc.exe")
    )
  )
]

Detects LSASS credential dumping via four methods: (1) rundll32.exe with comsvcs.dll MiniDump LOL technique, (2) ProcDump targeting lsass.exe, (3) direct process access to lsass from non-whitelisted processes, (4) suspicious .dmp/.mdmp file creation in writable user-accessible locations. Covers Akira, Black Basta, LockBit, and Scattered Spider TTPs.

critical severity high confidence

Data Sources

Elastic Endpoint Security Windows Event Logs via Elastic Agent Sysmon via Elastic Agent

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.file-* logs-windows.sysmon_operational-*

False Positives

Legitimate memory diagnostic tools used by IT operations running ProcDump against system processes for debugging purposes
Crash dump collection by Windows Error Reporting (WER) creating .dmp files in temp locations during application failures
EDR and AV solutions that legitimately access lsass.exe memory for process protection and credential guard monitoring

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  logsourcename(logsourceid) AS LogSource,
  "sourceip" AS HostIP,
  "username" AS AccountName,
  "URL" AS ProcessImage,
  "PostNATSourcePort" AS EventCode,
  CASE
    WHEN "URL" ILIKE '%rundll32%' AND ("destinationip" ILIKE '%comsvcs%' OR QIDNAME(qid) ILIKE '%MiniDump%') THEN 'rundll32_comsvcs_MiniDump'
    WHEN "URL" ILIKE '%procdump%' THEN 'ProcDump_LSASS'
    WHEN QIDNAME(qid) ILIKE '%lsass%' AND CATEGORYNAME(category) ILIKE '%process access%' THEN 'LSASS_ProcessAccess'
    WHEN CATEGORYNAME(category) ILIKE '%file create%' AND ("filename" ILIKE '%.dmp' OR "filename" ILIKE '%.mdmp') THEN 'DumpFile_Created'
    ELSE 'Unknown'
  END AS DumpMethod,
  CASE
    WHEN "URL" ILIKE '%rundll32%' AND QIDNAME(qid) ILIKE '%MiniDump%' THEN 95
    WHEN "URL" ILIKE '%procdump%' THEN 90
    WHEN QIDNAME(qid) ILIKE '%lsass%' THEN 85
    ELSE 80
  END AS RiskScore
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (12, 13, 229)
  AND starttime > NOW() - 86400000
  AND (
    (
      QIDNAME(qid) ILIKE '%process create%'
      AND "URL" ILIKE '%rundll32.exe%'
      AND (
        ("commandline" ILIKE '%comsvcs%' AND ("commandline" ILIKE '%MiniDump%' OR "commandline" ILIKE '%#24%'))
        OR ("commandline" ILIKE '%lsass%' AND "commandline" ILIKE '%dump%')
      )
    )
    OR (
      QIDNAME(qid) ILIKE '%process create%'
      AND ("URL" ILIKE '%procdump.exe%' OR "URL" ILIKE '%procdump64.exe%')
      AND ("commandline" ILIKE '%lsass%' OR "commandline" ILIKE '%-ma%')
    )
    OR (
      QIDNAME(qid) ILIKE '%process access%'
      AND "targetprocessname" ILIKE '%lsass.exe%'
      AND "URL" NOT ILIKE '%svchost.exe%'
      AND "URL" NOT ILIKE '%wininit.exe%'
      AND "URL" NOT ILIKE '%lsm.exe%'
      AND "URL" NOT ILIKE '%csrss.exe%'
      AND "URL" NOT ILIKE '%MsMpEng.exe%'
      AND "URL" NOT ILIKE '%SentinelAgent.exe%'
    )
    OR (
      QIDNAME(qid) ILIKE '%file create%'
      AND ("filename" ILIKE '%.dmp' OR "filename" ILIKE '%.mdmp')
      AND ("filepath" ILIKE '%Temp%' OR "filepath" ILIKE '%ProgramData%' OR "filepath" ILIKE '%Users%' OR "filepath" ILIKE '%Public%')
      AND "URL" NOT ILIKE '%werfault.exe%'
      AND "URL" NOT ILIKE '%drwtsn32.exe%'
    )
  )
ORDER BY RiskScore DESC, starttime DESC

AQL query for IBM QRadar detecting LSASS credential dumping via rundll32/comsvcs MiniDump LOL technique, ProcDump targeting lsass, direct lsass process access from non-whitelisted processes, and suspicious dump file creation. Targets Windows Sysmon and Security log sources (LOGSOURCETYPEID 12=Windows, 13=Sysmon, 229=Microsoft Security).

critical severity medium confidence

Data Sources

IBM QRadar SIEM Windows Sysmon (QRadar DSM) Microsoft Windows Security Event Log

Required Tables

events

False Positives

Legitimate system administration use of ProcDump for capturing crash dumps of lsass.exe during active troubleshooting of authentication issues
Security software (EDR agents, AV) that regularly access lsass.exe memory space for protection and monitoring — review SourceImage whitelisting
Windows Error Reporting creating .dmp files in temp directories following application or service crashes unrelated to credential access

Sumo Logic CSE

sql

_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*endpoint*
| where _sourceName matches "*Sysmon*" or _sourceName matches "*Security*" or _sourceName matches "*WinEventLog*"
| parse "<EventID>*</EventID>" as EventCode nodrop
| parse "<Image>*</Image>" as ProcessImage nodrop
| parse "<CommandLine>*</CommandLine>" as CommandLine nodrop
| parse "<TargetImage>*</TargetImage>" as TargetImage nodrop
| parse "<TargetFilename>*</TargetFilename>" as TargetFilename nodrop
| parse "<User>*</User>" as AccountUser nodrop
| parse "<Computer>*</Computer>" as HostName nodrop
| parse "<SourceImage>*</SourceImage>" as SourceImage nodrop
| where (
    (
      EventCode = "1"
      and ProcessImage matches "*rundll32.exe*"
      and (
        (CommandLine matches "*comsvcs*" and (CommandLine matches "*MiniDump*" or CommandLine matches "*#24*"))
        or (CommandLine matches "*lsass*" and CommandLine matches "*dump*")
      )
    )
    or (
      EventCode = "1"
      and (ProcessImage matches "*procdump.exe*" or ProcessImage matches "*procdump64.exe*")
      and (CommandLine matches "*lsass*" or CommandLine matches "*-ma*")
    )
    or (
      EventCode = "10"
      and TargetImage matches "*lsass.exe*"
      and not (SourceImage matches "*svchost.exe*" or SourceImage matches "*wininit.exe*"
        or SourceImage matches "*lsm.exe*" or SourceImage matches "*csrss.exe*"
        or SourceImage matches "*SecurityHealthService.exe*" or SourceImage matches "*MsMpEng.exe*"
        or SourceImage matches "*SenseIR.exe*" or SourceImage matches "*MsSense.exe*"
        or SourceImage matches "*SentinelAgent.exe*" or SourceImage matches "*CSFalconService.exe*")
    )
    or (
      EventCode = "11"
      and (TargetFilename matches "*.dmp" or TargetFilename matches "*.mdmp")
      and (TargetFilename matches "*Temp*" or TargetFilename matches "*ProgramData*"
        or TargetFilename matches "*Users*" or TargetFilename matches "*Public*")
      and not (ProcessImage matches "*werfault.exe*" or ProcessImage matches "*WerFaultSecure.exe*"
        or ProcessImage matches "*drwtsn32.exe*")
    )
  )
| if (EventCode = "1" and ProcessImage matches "*rundll32*" and CommandLine matches "*comsvcs*",
    "rundll32_comsvcs_MiniDump",
    if (EventCode = "1" and (ProcessImage matches "*procdump*"),
      "ProcDump_LSASS",
      if (EventCode = "10" and TargetImage matches "*lsass*",
        "LSASS_ProcessAccess",
        if (EventCode = "11" and (TargetFilename matches "*.dmp" or TargetFilename matches "*.mdmp"),
          "DumpFile_Created", "Other")))) as DumpMethod
| if (DumpMethod = "rundll32_comsvcs_MiniDump", 95,
    if (DumpMethod = "ProcDump_LSASS", 90,
      if (DumpMethod = "LSASS_ProcessAccess", 85, 80))) as RiskScore
| count as Events by HostName, AccountUser, DumpMethod, RiskScore
| sort by RiskScore desc

Sumo Logic query detecting LSASS memory dumping across four vectors: rundll32/comsvcs MiniDump LOL technique (RiskScore 95), ProcDump targeting lsass (90), unauthorized lsass process access via Sysmon Event 10 (85), and suspicious .dmp/.mdmp file creation (80). Parses Sysmon XML events from Windows endpoint log sources.

critical severity high confidence

Data Sources

Sumo Logic Cloud SIEM Windows Sysmon via Sumo Logic Collector Windows Security Event Logs

Required Tables

_sourceCategory=*windows* _sourceCategory=*sysmon*

False Positives

Security operations teams running ProcDump as part of authorized forensic investigations or incident response on compromised hosts
Enterprise monitoring agents (CrowdStrike Falcon, SentinelOne, Microsoft Defender) performing routine lsass inspection — extend SourceImage exclusions as needed
Application crash dump collection by Windows Error Reporting generating .dmp files in %TEMP% or AppData during legitimate application failures

Google Chronicle / SecOps

yaral

rule lsass_credential_dumping_multi_method {
  meta:
    author = "df00tech Detection Engineering"
    description = "Detects LSASS credential dumping via rundll32/comsvcs MiniDump, ProcDump, direct process access, and dump file creation"
    severity = "CRITICAL"
    priority = "HIGH"
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1003.001"
    reference = "https://attack.mitre.org/techniques/T1003/001/"
    threat_actors = "Akira, Black Basta, LockBit, Scattered Spider"

  events:
    (
      // Method 1: rundll32 + comsvcs MiniDump (LOL technique)
      (
        $e1.metadata.event_type = "PROCESS_LAUNCH"
        and re.regex($e1.principal.process.file.full_path, `(?i)rundll32\.exe`)
        and (
          (
            re.regex($e1.target.process.command_line, `(?i)comsvcs`) and
            re.regex($e1.target.process.command_line, `(?i)(MiniDump|#24)`)
          ) or
          (
            re.regex($e1.target.process.command_line, `(?i)lsass`) and
            re.regex($e1.target.process.command_line, `(?i)dump`)
          )
        )
      )
      or
      // Method 2: ProcDump targeting lsass
      (
        $e1.metadata.event_type = "PROCESS_LAUNCH"
        and re.regex($e1.target.process.file.full_path, `(?i)procdump(64)?\.exe`)
        and (
          re.regex($e1.target.process.command_line, `(?i)lsass`) or
          re.regex($e1.target.process.command_line, `(?i)-ma`)
        )
      )
      or
      // Method 3: Process access to lsass from suspicious source
      (
        $e1.metadata.event_type = "PROCESS_OPEN"
        and re.regex($e1.target.process.file.full_path, `(?i)lsass\.exe`)
        and not re.regex($e1.principal.process.file.full_path, `(?i)(svchost|wininit|lsm|csrss|SecurityHealthService|MsMpEng|SenseIR|MsSense|SentinelAgent|CSFalconService)\.exe`)
      )
      or
      // Method 4: Suspicious .dmp/.mdmp file creation
      (
        $e1.metadata.event_type = "FILE_CREATION"
        and re.regex($e1.target.file.full_path, `(?i)\.(dmp|mdmp)$`)
        and re.regex($e1.target.file.full_path, `(?i)(Temp|tmp|ProgramData|Users|Public)`)
        and not re.regex($e1.target.file.full_path, `(?i)(WER|Crash)`)
        and not re.regex($e1.principal.process.file.full_path, `(?i)(werfault|WerFaultSecure|drwtsn32|msdtc)\.exe`)
      )
    )

  condition:
    $e1
}

Chronicle YARA-L 2.0 rule detecting LSASS credential dumping across four methods using UDM event model. Covers the rundll32/comsvcs LOL technique (highest severity), ProcDump usage, direct process access to lsass.exe from non-whitelisted processes, and suspicious memory dump file creation in user-accessible directories.

critical severity high confidence

Data Sources

Google Chronicle SIEM Windows Event Logs via Chronicle forwarder Sysmon via Chronicle ingestion

Required Tables

PROCESS_LAUNCH PROCESS_OPEN FILE_CREATION

False Positives

Authorized red team or penetration testing exercises using standard credential dumping tools as part of a scoped engagement — coordinate with security team for time-based exclusions
Vendor-supplied diagnostic utilities that create process memory dumps of lsass.exe for authentication troubleshooting on domain controllers
Windows kernel and system dump operations triggered by BSOD or kernel crash events generating .dmp files in accessible paths before WER moves them

CrowdStrike LogScale (CQL)

cql

// LSASS Credential Dumping Detection — CrowdStrike LogScale (Falcon)
// Method 1: rundll32 + comsvcs MiniDump
#event_simpleName=ProcessRollup2
| ImageFileName = /rundll32\.exe/i
| CommandLine = /comsvcs/i
| CommandLine = /(MiniDump|#24|lsass.*dump)/i
| DumpMethod := "rundll32_comsvcs_MiniDump"
| RiskScore := 95

// Union with Method 2: ProcDump
| union [
  #event_simpleName=ProcessRollup2
  | ImageFileName = /(procdump|procdump64)\.exe/i
  | CommandLine = /(lsass|-ma)/i
  | DumpMethod := "ProcDump_LSASS"
  | RiskScore := 90
]

// Union with Method 3: Process injection/access targeting lsass
| union [
  #event_simpleName=ProcessRollup2
  | TargetProcessId != null
  | TargetImageFileName = /lsass\.exe/i
  | ImageFileName != /(svchost|wininit|lsm|csrss|SecurityHealthService|MsMpEng|SenseIR|MsSense|SentinelAgent|CSFalconService)\.exe/i
  | DumpMethod := "LSASS_ProcessAccess"
  | RiskScore := 85
]

// Union with Method 4: .dmp/.mdmp file creation in suspicious paths
| union [
  #event_simpleName=PeFileWritten OR #event_simpleName=SuspiciousFileWrite
  | TargetFileName = /\.(dmp|mdmp)$/i
  | TargetFileName = /(Temp|tmp|ProgramData|Users|Public)/i
  | TargetFileName != /(WER|Crash)/i
  | ImageFileName != /(werfault|WerFaultSecure|drwtsn32|msdtc)\.exe/i
  | DumpMethod := "DumpFile_Created"
  | RiskScore := 80
]

| groupBy([ComputerName, UserName, DumpMethod, RiskScore], function=[
    count(as=EventCount),
    collect([ImageFileName, CommandLine], multival=true, limit=10)
  ])
| ThreatActors := "Akira, Black Basta, LockBit, Scattered Spider"
| sort(RiskScore, order=desc)

CrowdStrike LogScale (Falcon) query detecting LSASS credential dumping using Falcon process telemetry. Covers four methods: rundll32/comsvcs MiniDump LOL technique, ProcDump targeting lsass, direct LSASS process access from non-whitelisted parent processes, and suspicious dump file creation. Uses native Falcon event types ProcessRollup2 and file write events for comprehensive coverage.

critical severity high confidence

Data Sources

CrowdStrike Falcon EDR CrowdStrike Falcon LogScale Falcon Sensor process telemetry

Required Tables

ProcessRollup2 PeFileWritten SuspiciousFileWrite

False Positives

CrowdStrike Falcon sensor itself (CSFalconService.exe) accessing lsass.exe — already excluded but verify CSFalconService is in the exclusion regex for your environment
Legitimate sysadmin use of ProcDump or Task Manager dump feature during authorized incident response or debugging sessions on servers experiencing authentication failures
Third-party PAM (Privileged Access Management) solutions that periodically access LSASS to rotate credentials or validate password policy compliance

Sigma rule & cross-platform mapping

The detection logic for LSASS Credential Dumping via Memory Access (THREAT-CredentialDump-LSASS) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for THREAT-CredentialDump-LSASS Sigma rules on detection.fyi

Platform-specific guides for THREAT-CredentialDump-LSASS

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)

Last updated: 2026-04-25 Research depth: deep

References (3)

Testing Methodology

Validate this detection against 2 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1LSASS MiniDump via rundll32.exe + comsvcs.dll (LOL Technique)
Expected signal: Sysmon Event ID 1: rundll32.exe with comsvcs.dll and MiniDump in command line. Sysmon Event ID 11: lsass.dmp created in C:\Windows\Temp\. Windows Security Event ID 4656: handle to lsass.exe requested.
Test 2LSASS Dump via ProcDump
Expected signal: Sysmon Event ID 1: procdump.exe with -ma and lsass in command line. Sysmon Event ID 10: procdump64.exe accessing lsass.exe process.

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for THREAT-CredentialDump-LSASS including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

LSASS Credential Dumping via Memory Access

What is THREAT-CredentialDump-LSASS LSASS Credential Dumping via Memory Access?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for THREAT-CredentialDump-LSASS

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hub

Parent Technique

Related Techniques

Same Tactic: Credential Access

Popular Detections

What is THREAT-CredentialDump-LSASS LSASS Credential Dumping via Memory Access?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for THREAT-CredentialDump-LSASS

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hub

Parent Technique

Related Techniques

Same Tactic: Credential Access

Popular Detections

Get new detections in your inbox