THREAT-CredentialDump-LSASS IBM QRadar · QRadar

Detect LSASS Credential Dumping via Memory Access in IBM QRadar

LSASS (Local Security Authority Subsystem Service) process memory dumping remains the primary credential theft technique across ransomware operators and APT groups. Attackers access LSASS memory to extract NTLM hashes, Kerberos tickets, and cleartext credentials of all users who have recently authenticated to the system. Common tools: Mimikatz (sekurlsa::logonpasswords, lsadump::sam), ProcDump (procdump -ma lsass.exe), Task Manager dump, comsvcs.dll MiniDump via rundll32, and custom loaders. All documented ransomware groups (Akira, Black Basta, LockBit) use credential dumping to escalate from standard user to domain admin. Detection prioritises the MiniDump-via-rundll32 technique (stealthy, LOL-binary) and ProcDump which are most prevalent. NCSC UK's 2025 ransomware guidance specifically calls out LSASS dumping as a critical detection opportunity in the pre-ransomware kill chain.

MITRE ATT&CK

Tactic
Credential Access

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  logsourcename(logsourceid) AS LogSource,
  "sourceip" AS HostIP,
  "username" AS AccountName,
  "URL" AS ProcessImage,
  "PostNATSourcePort" AS EventCode,
  CASE
    WHEN "URL" ILIKE '%rundll32%' AND ("destinationip" ILIKE '%comsvcs%' OR QIDNAME(qid) ILIKE '%MiniDump%') THEN 'rundll32_comsvcs_MiniDump'
    WHEN "URL" ILIKE '%procdump%' THEN 'ProcDump_LSASS'
    WHEN QIDNAME(qid) ILIKE '%lsass%' AND CATEGORYNAME(category) ILIKE '%process access%' THEN 'LSASS_ProcessAccess'
    WHEN CATEGORYNAME(category) ILIKE '%file create%' AND ("filename" ILIKE '%.dmp' OR "filename" ILIKE '%.mdmp') THEN 'DumpFile_Created'
    ELSE 'Unknown'
  END AS DumpMethod,
  CASE
    WHEN "URL" ILIKE '%rundll32%' AND QIDNAME(qid) ILIKE '%MiniDump%' THEN 95
    WHEN "URL" ILIKE '%procdump%' THEN 90
    WHEN QIDNAME(qid) ILIKE '%lsass%' THEN 85
    ELSE 80
  END AS RiskScore
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (12, 13, 229)
  AND starttime > NOW() - 86400000
  AND (
    (
      QIDNAME(qid) ILIKE '%process create%'
      AND "URL" ILIKE '%rundll32.exe%'
      AND (
        ("commandline" ILIKE '%comsvcs%' AND ("commandline" ILIKE '%MiniDump%' OR "commandline" ILIKE '%#24%'))
        OR ("commandline" ILIKE '%lsass%' AND "commandline" ILIKE '%dump%')
      )
    )
    OR (
      QIDNAME(qid) ILIKE '%process create%'
      AND ("URL" ILIKE '%procdump.exe%' OR "URL" ILIKE '%procdump64.exe%')
      AND ("commandline" ILIKE '%lsass%' OR "commandline" ILIKE '%-ma%')
    )
    OR (
      QIDNAME(qid) ILIKE '%process access%'
      AND "targetprocessname" ILIKE '%lsass.exe%'
      AND "URL" NOT ILIKE '%svchost.exe%'
      AND "URL" NOT ILIKE '%wininit.exe%'
      AND "URL" NOT ILIKE '%lsm.exe%'
      AND "URL" NOT ILIKE '%csrss.exe%'
      AND "URL" NOT ILIKE '%MsMpEng.exe%'
      AND "URL" NOT ILIKE '%SentinelAgent.exe%'
    )
    OR (
      QIDNAME(qid) ILIKE '%file create%'
      AND ("filename" ILIKE '%.dmp' OR "filename" ILIKE '%.mdmp')
      AND ("filepath" ILIKE '%Temp%' OR "filepath" ILIKE '%ProgramData%' OR "filepath" ILIKE '%Users%' OR "filepath" ILIKE '%Public%')
      AND "URL" NOT ILIKE '%werfault.exe%'
      AND "URL" NOT ILIKE '%drwtsn32.exe%'
    )
  )
ORDER BY RiskScore DESC, starttime DESC
critical severity medium confidence

AQL query for IBM QRadar detecting LSASS credential dumping via rundll32/comsvcs MiniDump LOL technique, ProcDump targeting lsass, direct lsass process access from non-whitelisted processes, and suspicious dump file creation. Targets Windows Sysmon and Security log sources (LOGSOURCETYPEID 12=Windows, 13=Sysmon, 229=Microsoft Security).

Data Sources

IBM QRadar SIEMWindows Sysmon (QRadar DSM)Microsoft Windows Security Event Log

Required Tables

events

False Positives & Tuning

  • Legitimate system administration use of ProcDump for capturing crash dumps of lsass.exe during active troubleshooting of authentication issues
  • Security software (EDR agents, AV) that regularly access lsass.exe memory space for protection and monitoring — review SourceImage whitelisting
  • Windows Error Reporting creating .dmp files in temp directories following application or service crashes unrelated to credential access
Download portable Sigma rule (.yml)

Other platforms for THREAT-CredentialDump-LSASS

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 2 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1LSASS MiniDump via rundll32.exe + comsvcs.dll (LOL Technique)

    Expected signal: Sysmon Event ID 1: rundll32.exe with comsvcs.dll and MiniDump in command line. Sysmon Event ID 11: lsass.dmp created in C:\Windows\Temp\. Windows Security Event ID 4656: handle to lsass.exe requested.

  2. Test 2LSASS Dump via ProcDump

    Expected signal: Sysmon Event ID 1: procdump.exe with -ma and lsass in command line. Sysmon Event ID 10: procdump64.exe accessing lsass.exe process.

Last updated: 2026-04-25 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for THREAT-CredentialDump-LSASS including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1003.001LSASS Memory

Related Techniques

T1003.001LSASS MemoryT1078.002Domain AccountsT1550.002Pass the HashT1558.003KerberoastingT1021.002SMB/Windows Admin Shares

Same Tactic: Credential Access

Popular Detections