title: LSASS Memory (T1003.001)
id: df00tech-t1003-001
status: experimental
description: "Adversaries access credential material stored in the LSASS process memory. After logon, Windows stores credentials (NTLM hashes, Kerberos tickets, plaintext passwords via WDigest) in LSASS. Tools used include Mimikatz, ProcDump, comsvcs.dll MiniDump (rundll32.exe C:\\Windows\\System32\\comsvcs.dll MiniDump), WerFault silent process exit, and Cobalt Strike's sekurlsa module. Used extensively by APT1, APT33, OilRig, HAFNIUM, Volt Typhoon, NotPetya, Cobalt Strike operators, and many others. Highest-frequency credential dumping technique observed in the wild."
references:
  - https://attack.mitre.org/techniques/T1003/001/
  - https://df00tech.com/detections/T1003.001
author: df00tech
date: 2026/04/13
tags:
  - attack.t1003.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "EDR agents (CrowdStrike, Carbon Black, Cylance) that legitimately access LSASS for memory scanning — these should be in the process exclusion list"
  - Windows Error Reporting (WerFault.exe) creating crash dumps when LSASS encounters an error
  - IT administrators using Task Manager to create LSASS dump for legitimate debugging purposes
  - Sysinternals ProcDump used by operations teams for authorized crash dump collection
level: critical