Detect LSASS Credential Dumping via Memory Access in Sumo Logic CSE
LSASS (Local Security Authority Subsystem Service) process memory dumping remains the primary credential theft technique across ransomware operators and APT groups. Attackers access LSASS memory to extract NTLM hashes, Kerberos tickets, and cleartext credentials of all users who have recently authenticated to the system. Common tools: Mimikatz (sekurlsa::logonpasswords, lsadump::sam), ProcDump (procdump -ma lsass.exe), Task Manager dump, comsvcs.dll MiniDump via rundll32, and custom loaders. All documented ransomware groups (Akira, Black Basta, LockBit) use credential dumping to escalate from standard user to domain admin. Detection prioritises the MiniDump-via-rundll32 technique (stealthy, LOL-binary) and ProcDump which are most prevalent. NCSC UK's 2025 ransomware guidance specifically calls out LSASS dumping as a critical detection opportunity in the pre-ransomware kill chain.
MITRE ATT&CK
- Tactic
- Credential Access
Sumo Detection Query
_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*endpoint*
| where _sourceName matches "*Sysmon*" or _sourceName matches "*Security*" or _sourceName matches "*WinEventLog*"
| parse "<EventID>*</EventID>" as EventCode nodrop
| parse "<Image>*</Image>" as ProcessImage nodrop
| parse "<CommandLine>*</CommandLine>" as CommandLine nodrop
| parse "<TargetImage>*</TargetImage>" as TargetImage nodrop
| parse "<TargetFilename>*</TargetFilename>" as TargetFilename nodrop
| parse "<User>*</User>" as AccountUser nodrop
| parse "<Computer>*</Computer>" as HostName nodrop
| parse "<SourceImage>*</SourceImage>" as SourceImage nodrop
| where (
(
EventCode = "1"
and ProcessImage matches "*rundll32.exe*"
and (
(CommandLine matches "*comsvcs*" and (CommandLine matches "*MiniDump*" or CommandLine matches "*#24*"))
or (CommandLine matches "*lsass*" and CommandLine matches "*dump*")
)
)
or (
EventCode = "1"
and (ProcessImage matches "*procdump.exe*" or ProcessImage matches "*procdump64.exe*")
and (CommandLine matches "*lsass*" or CommandLine matches "*-ma*")
)
or (
EventCode = "10"
and TargetImage matches "*lsass.exe*"
and not (SourceImage matches "*svchost.exe*" or SourceImage matches "*wininit.exe*"
or SourceImage matches "*lsm.exe*" or SourceImage matches "*csrss.exe*"
or SourceImage matches "*SecurityHealthService.exe*" or SourceImage matches "*MsMpEng.exe*"
or SourceImage matches "*SenseIR.exe*" or SourceImage matches "*MsSense.exe*"
or SourceImage matches "*SentinelAgent.exe*" or SourceImage matches "*CSFalconService.exe*")
)
or (
EventCode = "11"
and (TargetFilename matches "*.dmp" or TargetFilename matches "*.mdmp")
and (TargetFilename matches "*Temp*" or TargetFilename matches "*ProgramData*"
or TargetFilename matches "*Users*" or TargetFilename matches "*Public*")
and not (ProcessImage matches "*werfault.exe*" or ProcessImage matches "*WerFaultSecure.exe*"
or ProcessImage matches "*drwtsn32.exe*")
)
)
| if (EventCode = "1" and ProcessImage matches "*rundll32*" and CommandLine matches "*comsvcs*",
"rundll32_comsvcs_MiniDump",
if (EventCode = "1" and (ProcessImage matches "*procdump*"),
"ProcDump_LSASS",
if (EventCode = "10" and TargetImage matches "*lsass*",
"LSASS_ProcessAccess",
if (EventCode = "11" and (TargetFilename matches "*.dmp" or TargetFilename matches "*.mdmp"),
"DumpFile_Created", "Other")))) as DumpMethod
| if (DumpMethod = "rundll32_comsvcs_MiniDump", 95,
if (DumpMethod = "ProcDump_LSASS", 90,
if (DumpMethod = "LSASS_ProcessAccess", 85, 80))) as RiskScore
| count as Events by HostName, AccountUser, DumpMethod, RiskScore
| sort by RiskScore descSumo Logic query detecting LSASS memory dumping across four vectors: rundll32/comsvcs MiniDump LOL technique (RiskScore 95), ProcDump targeting lsass (90), unauthorized lsass process access via Sysmon Event 10 (85), and suspicious .dmp/.mdmp file creation (80). Parses Sysmon XML events from Windows endpoint log sources.
Data Sources
Required Tables
False Positives & Tuning
- Security operations teams running ProcDump as part of authorized forensic investigations or incident response on compromised hosts
- Enterprise monitoring agents (CrowdStrike Falcon, SentinelOne, Microsoft Defender) performing routine lsass inspection — extend SourceImage exclusions as needed
- Application crash dump collection by Windows Error Reporting generating .dmp files in %TEMP% or AppData during legitimate application failures
Other platforms for THREAT-CredentialDump-LSASS
Testing Methodology
Validate this detection against 2 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1LSASS MiniDump via rundll32.exe + comsvcs.dll (LOL Technique)
Expected signal: Sysmon Event ID 1: rundll32.exe with comsvcs.dll and MiniDump in command line. Sysmon Event ID 11: lsass.dmp created in C:\Windows\Temp\. Windows Security Event ID 4656: handle to lsass.exe requested.
- Test 2LSASS Dump via ProcDump
Expected signal: Sysmon Event ID 1: procdump.exe with -ma and lsass in command line. Sysmon Event ID 10: procdump64.exe accessing lsass.exe process.
References (5)
- https://www.ncsc.gov.uk/collection/ransomware/credential-access
- https://attack.mitre.org/techniques/T1003/001/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md
- https://lolbas-project.github.io/lolbas/Libraries/Comsvcs/
- https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group
Unlock Pro Content
Get the full detection package for THREAT-CredentialDump-LSASS including response playbook, investigation guide, and atomic red team tests.