splunk_escuTTP

Access LSASS Memory for Dump Creation

The following analytic detects attempts to dump the LSASS process memory, a common technique in credential dumping attacks. It leverages Sysmon logs, specifically EventCode 10, to identify suspicious call traces to dbgcore.dll and dbghelp.dll associated with lsass.exe. This activity is significant as it often precedes the theft of sensitive login credentials, posing a high risk of unauthorized access to systems and data. If confirmed malicious, attackers could gain access to critical credentials, enabling further compromise and lateral movement within the network.

MITRE ATT&CK

T1003.001

credential-access

Detection Query

`sysmon` EventCode=10 TargetImage=*lsass.exe CallTrace=*dbgcore.dll* OR CallTrace=*dbghelp.dll*
  | stats count min(_time) as firstTime max(_time) as lastTime
    BY CallTrace EventID GrantedAccess
       Guid Opcode ProcessID
       SecurityID SourceImage SourceProcessGUID
       SourceProcessId TargetImage TargetProcessGUID
       TargetProcessId UserID dest
       granted_access parent_process_exec parent_process_guid
       parent_process_id parent_process_name parent_process_path
       process_exec process_guid process_id
       process_name process_path signature
       signature_id user_id vendor_product
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)`
  | `access_lsass_memory_for_dump_creation_filter`

Author

Patrick Bareiss, Splunk

Created

2026-03-10

Data Sources

Sysmon EventID 10

References

https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf

Tags

CISA AA23-347ACredential DumpingCactus RansomwareLokibotScattered Lapsus$ Hunters

Raw Content

name: Access LSASS Memory for Dump Creation
id: fb4c31b0-13e8-4155-8aa5-24de4b8d6717
version: 14
date: '2026-03-10'
author: Patrick Bareiss, Splunk
status: production
type: TTP
description: The following analytic detects attempts to dump the LSASS process memory, a common technique in credential dumping attacks. It leverages Sysmon logs, specifically EventCode 10, to identify suspicious call traces to dbgcore.dll and dbghelp.dll associated with lsass.exe. This activity is significant as it often precedes the theft of sensitive login credentials, posing a high risk of unauthorized access to systems and data. If confirmed malicious, attackers could gain access to critical credentials, enabling further compromise and lateral movement within the network.
data_source:
    - Sysmon EventID 10
search: |-
    `sysmon` EventCode=10 TargetImage=*lsass.exe CallTrace=*dbgcore.dll* OR CallTrace=*dbghelp.dll*
      | stats count min(_time) as firstTime max(_time) as lastTime
        BY CallTrace EventID GrantedAccess
           Guid Opcode ProcessID
           SecurityID SourceImage SourceProcessGUID
           SourceProcessId TargetImage TargetProcessGUID
           TargetProcessId UserID dest
           granted_access parent_process_exec parent_process_guid
           parent_process_id parent_process_name parent_process_path
           process_exec process_guid process_id
           process_name process_path signature
           signature_id user_id vendor_product
      | `security_content_ctime(firstTime)`
      | `security_content_ctime(lastTime)`
      | `access_lsass_memory_for_dump_creation_filter`
how_to_implement: This search requires Sysmon Logs and a Sysmon configuration, which includes EventCode 10 for lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.
known_false_positives: Administrators can create memory dumps for debugging purposes, but memory dumps of the LSASS process would be unusual.
references:
    - https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf
drilldown_searches:
    - name: View the detection results for - "$dest$"
      search: '%original_detection_search% | search  dest = "$dest$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$dest$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: process $SourceImage$ injected into $TargetImage$ and was attempted dump LSASS on $dest$. Adversaries tend to do this when trying to accesss credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).
    risk_objects:
        - field: dest
          type: system
          score: 50
    threat_objects:
        - field: TargetImage
          type: process
tags:
    analytic_story:
        - CISA AA23-347A
        - Credential Dumping
        - Cactus Ransomware
        - Lokibot
        - Scattered Lapsus$ Hunters
    asset_type: Windows
    mitre_attack_id:
        - T1003.001
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon.log
          source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
          sourcetype: XmlWinEventLog