criticalstableWindowsEndpointT1003.001

LSASS Memory Dump via Task Manager or ProcDump

Detects attempts to dump LSASS process memory for credential harvesting using common tools.

Updated Oct 28, 2024 · Detection Engineering Team

lsasscredential-dumpingmimikatzwindows

Problem Statement

LSASS contains Windows credentials in memory. Dumping it allows offline cracking or pass-the-hash attacks. Tools like Mimikatz, ProcDump, and Task Manager are commonly used.

Sample Logs

{"EventID":10,"SourceImage":"C:\Users\attacker\procdump64.exe","TargetImage":"C:\Windows\System32\lsass.exe","GrantedAccess":"0x1fffff","CallTrace":"C:\Windows\SYSTEM32\ntdll.dll+..."}

Required Fields

TargetImage

SourceImage

GrantedAccess

CallTrace

SourceProcessId

False Positives

·Antivirus solutions accessing LSASS
·Legitimate system tools from trusted paths
·EDR agents performing telemetry collection

Tuning Guidance

Baseline legitimate LSASS access patterns. Whitelist known AV/EDR process paths. Monitor CallTrace for unsigned modules.