THREAT-CredentialDump-LSASS Microsoft Sentinel · KQL

Detect LSASS Credential Dumping via Memory Access in Microsoft Sentinel

LSASS (Local Security Authority Subsystem Service) process memory dumping remains the primary credential theft technique across ransomware operators and APT groups. Attackers access LSASS memory to extract NTLM hashes, Kerberos tickets, and cleartext credentials of all users who have recently authenticated to the system. Common tools: Mimikatz (sekurlsa::logonpasswords, lsadump::sam), ProcDump (procdump -ma lsass.exe), Task Manager dump, comsvcs.dll MiniDump via rundll32, and custom loaders. All documented ransomware groups (Akira, Black Basta, LockBit) use credential dumping to escalate from standard user to domain admin. Detection prioritises the MiniDump-via-rundll32 technique (stealthy, LOL-binary) and ProcDump which are most prevalent. NCSC UK's 2025 ransomware guidance specifically calls out LSASS dumping as a critical detection opportunity in the pre-ransomware kill chain.

MITRE ATT&CK

Tactic
Credential Access

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
// THREAT: LSASS Credential Dumping (T1003.001)
// Detects memory dumping of lsass.exe via multiple methods

// Alert 1: MiniDump via rundll32.exe + comsvcs.dll (LOL technique)
let LolDump = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "rundll32.exe"
| where ProcessCommandLine has_all ("comsvcs", "MiniDump") or
      ProcessCommandLine has_all ("comsvcs", "#24") or // #24 is MiniDump ordinal
      (ProcessCommandLine has "lsass" and ProcessCommandLine has "dump")
| extend DumpMethod = "rundll32_comsvcs_MiniDump"
| extend RiskScore = 95;
// Alert 2: ProcDump targeting lsass
let ProcDump = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("procdump.exe", "procdump64.exe")
| where ProcessCommandLine has "lsass" or ProcessCommandLine has "-ma"
| extend DumpMethod = "ProcDump_LSASS"
| extend RiskScore = 90;
// Alert 3: Direct process handle to lsass (non-whitelisted)
let DirectHandle = DeviceEvents
| where Timestamp > ago(24h)
| where ActionType =~ "ProcessPrimaryTokenModified" or ActionType =~ "CreateRemoteThreadApiCall"
| where FileName =~ "lsass.exe"
| where InitiatingProcessFileName !in~ (
    "svchost.exe", "wininit.exe", "system", "lsm.exe",
    "csrss.exe", "SecurityHealthService.exe"
  )
| extend DumpMethod = "LSASS_DirectHandle"
| extend RiskScore = 85;
// Alert 4: Suspicious file creation of .dmp files
let DmpFile = DeviceFileEvents
| where Timestamp > ago(24h)
| where FileName endswith ".dmp" or FileName endswith ".mdmp"
| where FolderPath has_any ("Temp", "tmp", "ProgramData", "Users", "Public")
    and FolderPath !has "WER" and FolderPath !has "Crash"
| where InitiatingProcessFileName !in~ (
    "werfault.exe", "werFaultSecure.exe", "msdtc.exe", "drwtsn32.exe"
  )
| extend DumpMethod = "DumpFile_SuspiciousLocation"
| extend RiskScore = 80;
union LolDump, ProcDump, DirectHandle, DmpFile
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
    InitiatingProcessFileName, DumpMethod, RiskScore
| sort by RiskScore desc, Timestamp desc
critical severity high confidence

Four-vector LSASS dump detection: (1) rundll32.exe + comsvcs.dll MiniDump — the living-off-the-land LSASS dump technique that avoids dropping Mimikatz; (2) ProcDump targeting lsass.exe; (3) direct process handle or remote thread injection into lsass; (4) .dmp file creation in suspicious temp directories — the output artifact. RiskScore 80-95 based on technique specificity.

Data Sources

Microsoft Defender for Endpoint (DeviceProcessEvents, DeviceEvents, DeviceFileEvents)Sysmon Event ID 1, 10, 11Windows Security Event Log (Event ID 4656, 10)

Required Tables

DeviceProcessEventsDeviceEventsDeviceFileEvents

False Positives & Tuning

  • Windows Error Reporting (WER/werfault.exe) creating process dumps for crashed applications
  • Security products (CrowdStrike, SentinelOne, Defender) accessing LSASS for legitimate monitoring
  • Authorised penetration testers using Mimikatz or ProcDump during red team exercises
  • System administrator creating diagnostic dumps for debugging authentication issues
  • Dr. Watson (drwtsn32.exe) or other diagnostic utilities creating process dumps
Download portable Sigma rule (.yml)

Other platforms for THREAT-CredentialDump-LSASS

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 2 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1LSASS MiniDump via rundll32.exe + comsvcs.dll (LOL Technique)

    Expected signal: Sysmon Event ID 1: rundll32.exe with comsvcs.dll and MiniDump in command line. Sysmon Event ID 11: lsass.dmp created in C:\Windows\Temp\. Windows Security Event ID 4656: handle to lsass.exe requested.

  2. Test 2LSASS Dump via ProcDump

    Expected signal: Sysmon Event ID 1: procdump.exe with -ma and lsass in command line. Sysmon Event ID 10: procdump64.exe accessing lsass.exe process.

Last updated: 2026-04-25 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for THREAT-CredentialDump-LSASS including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1003.001LSASS Memory

Related Techniques

T1003.001LSASS MemoryT1078.002Domain AccountsT1550.002Pass the HashT1558.003KerberoastingT1021.002SMB/Windows Admin Shares

Same Tactic: Credential Access

Popular Detections