Detection rules › Elastic
LSASS Memory Dump Handle Access
Identifies handle requests for the Local Security Authority Subsystem Service (LSASS) object access with specific access masks that many tools with a capability to dump memory to disk use (0x1fffff, 0x1010, 0x120089). This rule is tool agnostic as it has been validated against a host of various LSASS dump tools such as SharpDump, Procdump, Mimikatz, Comsvcs etc. It detects this behavior at a low level and does not depend on a specific tool or dump file name.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Credential Access | T1003 OS Credential Dumping, T1003.001 OS Credential Dumping: LSASS Memory |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 4656 | A handle to an object was requested. |
Stages and Predicates
Stage 1: kql:new_terms
(winlog.event_data.AccessMask:(0x1010 or 0x120089 or 0x1F3FFF or 0x1fffff) or winlog.event_data.AccessMaskDescription:("READ_CONTROL" or "Read from process memory")) and not winlog.event_data.ProcessName:("C:\\Windows\\SysWOW64\\wbem\\WmiPrvSE.exe" or "C:\\Windows\\System32\\dllhost.exe" or "C:\\Windows\\System32\\msiexec.exe" or "C:\\Windows\\System32\\svchost.exe" or "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe" or "C:\\Windows\\explorer.exe") and winlog.event_data.ObjectName:"*\\\\Windows\\\\System32\\\\lsass.exe"Exclusions
Top-level NOT(...) conjuncts — predicates this rule actively suppresses.
| Stage | Field | Kind | Excluded values |
|---|---|---|---|
| 1 | process_name | in | C:\Windows\SysWOW64\wbem\WmiPrvSE.exe, C:\Windows\System32\dllhost.exe, C:\Windows\System32\msiexec.exe, C:\Windows\System32\svchost.exe, C:\Windows\System32\wbem\WmiPrvSE.exe, C:\Windows\explorer.exe |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
winlog.event_data.AccessMask | in |
|
winlog.event_data.AccessMaskDescription | in |
|
winlog.event_data.ObjectName | wildcard |
|