ATT&CK coverage › Technique
OS Credential Dumping: LSASS Memory T1003.001
Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct Lateral Movement using Use Alternate Authentication Material.
Events covered
19 catalog events are tagged with this technique by at least one rule.
Authoring guide
Patterns shared across the 88 rules above: which fields they filter on, what specific values they look for, and what they exclude. Field names are normalized across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.
Fields filtered most (40 distinct)
The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.
Top indicator values (663 distinct)
Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique.
Common exclusions (56 distinct)
Field/operator/value combinations that rules under this technique routinely exclude (top-level not() clauses). These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths.
Rules under this technique
Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.
Sigma 69 rules
- CreateDump Process Dump
- Cred Dump Tools Dropped Files
- Credential Dumping Activity By Python Based Tool
- Credential Dumping Attempt Via WerFault
- Credential Dumping Tools Service Execution - Security
- Credential Dumping Tools Service Execution - System
- Dumping Process via Sqldumper.exe
- DumpMinitool Execution
- HackTool - CrackMapExec File Indicators
- HackTool - CrackMapExec Process Patterns
- HackTool - CreateMiniDump Execution
- HackTool - Credential Dumping Tools Named Pipe Created
- HackTool - Doppelanger LSASS Dumper Execution
- HackTool - Dumpert Process Dumper Default File
- HackTool - Dumpert Process Dumper Execution
- HackTool - Generic Process Access
- HackTool - HandleKatz Duplicating LSASS Handle
- HackTool - HandleKatz LSASS Dumper Execution
- HackTool - Impacket File Indicators
- HackTool - Inveigh Execution
- HackTool - Mimikatz Execution
- HackTool - SafetyKatz Dump Indicator
- HackTool - SafetyKatz Execution
- HackTool - Windows Credential Editor (WCE) Execution
- HackTool - WSASS Execution
- HackTool - XORDump Execution
- LSASS Access Detected via Attack Surface Reduction
- LSASS Access From Non System Account
- LSASS Access From Potentially White-Listed Processes
- LSASS Dump Keyword In CommandLine
- Lsass Full Dump Request Via DumpType Registry Settings
- LSASS Memory Access by Tool With Dump Keyword In Name
- Lsass Memory Dump via Comsvcs DLL
- LSASS Process Crashed - Application
- LSASS Process Dump Artefact In CrashDumps Folder
- LSASS Process Memory Dump Creation Via Taskmgr.EXE
- LSASS Process Memory Dump Files
- Password Dumper Activity on LSASS
- Password Dumper Remote Thread in LSASS
- Potential Adplus.EXE Abuse
- Potential Credential Dumping Activity Via LSASS
- Potential Credential Dumping Attempt Via PowerShell Remote Thread
- Potential Credential Dumping Via LSASS Process Clone
- Potential Credential Dumping Via LSASS SilentProcessExit Technique
- Potential Credential Dumping Via WER
- Potential LSASS Process Dump Via Procdump
- Potential SysInternals ProcDump Evasion
- Potential Windows Defender AV Bypass Via Dump64.EXE Rename
- Potentially Suspicious AccessMask Requested From LSASS
- Potentially Suspicious GrantedAccess Flags On LSASS
- PowerShell Get-Process LSASS in ScriptBlock
- PPL Tampering Via WerFaultSecure
- Procdump Execution
- Process Access via TrolleyExpress Exclusion
- Process Memory Dump Via Comsvcs.DLL
- Process Memory Dump via RdrLeakDiag.EXE
- Remote LSASS Process Access Through Windows Remote Management
- Renamed CreateDump Utility Execution
- Suspicious DumpMinitool Execution
- Suspicious LSASS Access Via MalSecLogon
- Suspicious Process Access to LSASS with Dbgcore/Dbghelp DLLs
- Suspicious Renamed Comsvcs DLL Loaded By Rundll32
- Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded
- Time Travel Debugging Utility Usage
- Time Travel Debugging Utility Usage - Image
- Transferring Files with Credential Data via Network Shares
- Unsigned Image Loaded Into LSASS Process
- WerFault LSASS Process Memory Dump
- Windows Credential Editor Registry
Elastic 8 rules
- LSASS Memory Dump Handle Access
- Potential Credential Access via DuplicateHandle in LSASS
- Potential Credential Access via LSASS Memory Dump
- Potential Credential Access via Renamed COM+ Services DLL
- Potential LSASS Clone Creation via PssCaptureSnapShot
- Potential LSASS Memory Dump via PssCaptureSnapShot
- Suspicious LSASS Access via MalSecLogon
- Suspicious Lsass Process Access
Splunk 7 rules
- Access LSASS Memory for Dump Creation
- Create Remote Thread into LSASS
- Creation of lsass Dump with Taskmgr
- Detect Credential Dumping through LSASS access
- Windows Hunting System Account Targeting Lsass
- Windows Non-System Account Targeting Lsass
- Windows Possible Credential Dumping