title: LSASS Credential Dumping via Memory Access (THREAT-CredentialDump-LSASS)
id: df00tech-threat-credentialdump-lsass
status: experimental
description: "LSASS (Local Security Authority Subsystem Service) process memory dumping remains the primary credential theft technique across ransomware operators and APT groups. Attackers access LSASS memory to extract NTLM hashes, Kerberos tickets, and cleartext credentials of all users who have recently authenticated to the system. Common tools: Mimikatz (sekurlsa::logonpasswords, lsadump::sam), ProcDump (procdump -ma lsass.exe), Task Manager dump, comsvcs.dll MiniDump via rundll32, and custom loaders. All documented ransomware groups (Akira, Black Basta, LockBit) use credential dumping to escalate from standard user to domain admin. Detection prioritises the MiniDump-via-rundll32 technique (stealthy, LOL-binary) and ProcDump which are most prevalent. NCSC UK's 2025 ransomware guidance specifically calls out LSASS dumping as a critical detection opportunity in the pre-ransomware kill chain."
references:
  - https://attack.mitre.org/techniques/THREAT-CredentialDump-LSASS/
  - https://df00tech.com/detections/THREAT-CredentialDump-LSASS
author: df00tech
date: 2026/04/25
tags:
  - attack.threat-credentialdump-lsass
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Windows Error Reporting (WER/werfault.exe) creating process dumps for crashed applications
  - "Security products (CrowdStrike, SentinelOne, Defender) accessing LSASS for legitimate monitoring"
  - Authorised penetration testers using Mimikatz or ProcDump during red team exercises
  - System administrator creating diagnostic dumps for debugging authentication issues
  - Dr. Watson (drwtsn32.exe) or other diagnostic utilities creating process dumps
level: critical