EXPLORE
Sign In
← Back to Explore
T1003.001

LSASS Memory

Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct [Lateral Movement](https://attack.mitre.org/tactics/TA0008) using [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T15...

Windows
105
Detections
4
Sources
42
Threat Actors

BY SOURCE

72sigma21elastic11splunk_escu1crowdstrike_cql

PROCEDURES (57)

Dump9 detections

Auto-extracted: 9 detections for dump

Lsass8 detections

Auto-extracted: 8 detections for lsass

Process Access6 detections

Auto-extracted: 6 detections for process access

Suspicious5 detections

Auto-extracted: 5 detections for suspicious

Credential4 detections

Auto-extracted: 4 detections for credential

Bypass3 detections

Auto-extracted: 3 detections for bypass

Service3 detections

Auto-extracted: 3 detections for service

Lsass3 detections

Auto-extracted: 3 detections for lsass

Credential3 detections

Auto-extracted: 3 detections for credential

Remote Thread3 detections

Auto-extracted: 3 detections for remote thread

Lsass2 detections

Auto-extracted: 2 detections for lsass

File Monitoring2 detections

Auto-extracted: 2 detections for file monitoring

Process Creation Monitoring2 detections

Auto-extracted: 2 detections for process creation monitoring

Credential2 detections

Auto-extracted: 2 detections for credential

Kerbero2 detections

Auto-extracted: 2 detections for kerbero

Lsass2 detections

Auto-extracted: 2 detections for lsass

Credential2 detections

Auto-extracted: 2 detections for credential

Service2 detections

Auto-extracted: 2 detections for service

Registry2 detections

Auto-extracted: 2 detections for registry

Credential2 detections

Auto-extracted: 2 detections for credential

Registry2 detections

Auto-extracted: 2 detections for registry

Parent Process1 detections

Auto-extracted: 1 detections for parent process

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Lsass1 detections

Auto-extracted: 1 detections for lsass

Kerbero1 detections

Auto-extracted: 1 detections for kerbero

Powershell1 detections

Auto-extracted: 1 detections for powershell

Remote1 detections

Auto-extracted: 1 detections for remote

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Lsass1 detections

Auto-extracted: 1 detections for lsass

Dump1 detections

Auto-extracted: 1 detections for dump

Api1 detections

Auto-extracted: 1 detections for api

Powershell1 detections

Auto-extracted: 1 detections for powershell

Credential1 detections

Auto-extracted: 1 detections for credential

Privilege1 detections

Auto-extracted: 1 detections for privilege

Privilege1 detections

Auto-extracted: 1 detections for privilege

Lateral1 detections

Auto-extracted: 1 detections for lateral

Persist1 detections

Auto-extracted: 1 detections for persist

Dump1 detections

Auto-extracted: 1 detections for dump

Remote1 detections

Auto-extracted: 1 detections for remote

Privilege1 detections

Auto-extracted: 1 detections for privilege

Mimikatz1 detections

Auto-extracted: 1 detections for mimikatz

Parent Process1 detections

Auto-extracted: 1 detections for parent process

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Inject1 detections

Auto-extracted: 1 detections for inject

Persist1 detections

Auto-extracted: 1 detections for persist

Parent Process1 detections

Auto-extracted: 1 detections for parent process

Credential1 detections

Auto-extracted: 1 detections for credential

Process Access1 detections

Auto-extracted: 1 detections for process access

Mimikatz1 detections

Auto-extracted: 1 detections for mimikatz

Lsass1 detections

Auto-extracted: 1 detections for lsass

Lsass1 detections

Auto-extracted: 1 detections for lsass

Mimikatz1 detections

Auto-extracted: 1 detections for mimikatz

Service1 detections

Auto-extracted: 1 detections for service

Mimikatz1 detections

Auto-extracted: 1 detections for mimikatz

Api1 detections

Auto-extracted: 1 detections for api

Bypass1 detections

Auto-extracted: 1 detections for bypass

Powershell1 detections

Auto-extracted: 1 detections for powershell

THREAT ACTORS (42)

AgriusAPT1APT28APT3APT32APT33APT39APT41APT5Aquatic PandaBlue MockingbirdBRONZE BUTLERCleaverEarth LuscaEmber BearFIN13FIN6FIN8Fox KittenGALLIUMHAFNIUMIndrik SpiderKe3changKimsukyLeafminerLeviathanMagic HoundMedusa GroupMoonstone SleetMuddyWaterMustang PandaOilRigPLATINUMPlayRedCurlSandworm TeamSilenceThreat Group-3390UNC3886Volt TyphoonWhiteflyWizard Spider

DETECTIONS (105)

Access LSASS Memory for Dump Creation
splunk_escu
Antivirus Password Dumper Detection
sigmacritical
Cisco Secure Firewall - Veeam CVE-2023-27532 Exploitation Activity
splunk_escu
Create Remote Thread into LSASS
splunk_escu
CreateDump Process Dump
sigmahigh
Creation of lsass Dump with Taskmgr
splunk_escu
Cred Dump Tools Dropped Files
sigmahigh
Credential Dumping - Detected - Elastic Endgame
elastichigh
Credential Dumping - Prevented - Elastic Endgame
elasticmedium
Credential Dumping Activity By Python Based Tool
sigmahigh
Credential Dumping Attempt Via WerFault
sigmahigh
Credential Dumping Detection
crowdstrike_cql
Credential Dumping Tools Service Execution - Security
sigmahigh
Credential Dumping Tools Service Execution - System
sigmahigh
Detect Credential Dumping through LSASS access
splunk_escu
Disabling Lsa Protection via Registry Modification
elastichigh
Dump LSASS via comsvcs DLL
splunk_escu
Dump LSASS via procdump
splunk_escu
Dumping Process via Sqldumper.exe
sigmamedium
DumpMinitool Execution
sigmamedium
Full User-Mode Dumps Enabled System-Wide
elasticmedium
HackTool - CrackMapExec File Indicators
sigmahigh
HackTool - CrackMapExec Process Patterns
sigmahigh
HackTool - CreateMiniDump Execution
sigmahigh
HackTool - Credential Dumping Tools Named Pipe Created
sigmacritical
HackTool - Doppelanger LSASS Dumper Execution
sigmahigh
HackTool - Dumpert Process Dumper Default File
sigmacritical
HackTool - Dumpert Process Dumper Execution
sigmacritical
HackTool - Generic Process Access
sigmahigh
HackTool - HandleKatz Duplicating LSASS Handle
sigmahigh
HackTool - HandleKatz LSASS Dumper Execution
sigmahigh
HackTool - Impacket File Indicators
sigmahigh
HackTool - Inveigh Execution
sigmacritical
HackTool - Mimikatz Execution
sigmahigh
HackTool - SafetyKatz Dump Indicator
sigmahigh
HackTool - SafetyKatz Execution
sigmacritical
HackTool - Windows Credential Editor (WCE) Execution
sigmacritical
HackTool - WSASS Execution
sigmahigh
HackTool - XORDump Execution
sigmahigh
LSASS Access Detected via Attack Surface Reduction
sigmahigh
LSASS Access From Non System Account
sigmamedium
LSASS Access From Potentially White-Listed Processes
sigmahigh
LSASS Dump Keyword In CommandLine
sigmahigh
Lsass Full Dump Request Via DumpType Registry Settings
sigmahigh
LSASS Memory Access by Tool With Dump Keyword In Name
sigmahigh
LSASS Memory Dump Creation
elastichigh
LSASS Memory Dump Handle Access
elasticmedium
Lsass Memory Dump via Comsvcs DLL
sigmahigh
LSASS Process Access via Windows API
elasticmedium
LSASS Process Crashed - Application
sigmahigh
LSASS Process Dump Artefact In CrashDumps Folder
sigmahigh
LSASS Process Memory Dump Creation Via Taskmgr.EXE
sigmahigh
LSASS Process Memory Dump Files
sigmahigh
Mimikatz Use
sigmahigh
Modification of WDigest Security Provider
elastichigh
Password Dumper Activity on LSASS
sigmahigh
Password Dumper Remote Thread in LSASS
sigmahigh
Potential Adplus.EXE Abuse
sigmahigh
Potential Credential Access via DuplicateHandle in LSASS
elasticmedium
Potential Credential Access via LSASS Memory Dump
elastichigh
Potential Credential Access via Renamed COM+ Services DLL
elastichigh
Potential Credential Access via Windows Utilities
elastichigh
Potential Credential Dumping Activity Via LSASS
sigmamedium
Potential Credential Dumping Attempt Via PowerShell Remote Thread
sigmahigh
Potential Credential Dumping Via LSASS Process Clone
sigmacritical
Potential Credential Dumping Via LSASS SilentProcessExit Technique
sigmacritical
Potential Credential Dumping Via WER
sigmahigh
Potential Invoke-Mimikatz PowerShell Script
elasticcritical
Potential LSASS Clone Creation via PssCaptureSnapShot
elastichigh
Potential LSASS Memory Dump via PssCaptureSnapShot
elastichigh
Potential LSASS Process Dump Via Procdump
sigmahigh
Potential PowerShell HackTool Script by Function Names
elasticmedium
Potential SysInternals ProcDump Evasion
sigmahigh
Potential Windows Defender AV Bypass Via Dump64.EXE Rename
sigmahigh
Potentially Suspicious AccessMask Requested From LSASS
sigmamedium
Potentially Suspicious GrantedAccess Flags On LSASS
sigmamedium
PowerShell Get-Process LSASS in ScriptBlock
sigmahigh
PowerShell Kerberos Ticket Dump
elastichigh
PowerShell MiniDump Script
elastichigh
PPL Tampering Via WerFaultSecure
sigmahigh
Procdump Execution
sigmamedium
Process Access via TrolleyExpress Exclusion
sigmahigh
Process Memory Dump Via Comsvcs.DLL
sigmahigh
Process Memory Dump via RdrLeakDiag.EXE
sigmahigh
Remote LSASS Process Access Through Windows Remote Management
sigmahigh
Renamed CreateDump Utility Execution
sigmahigh
Suspicious DumpMinitool Execution
sigmahigh
Suspicious LSASS Access via MalSecLogon
elastichigh
Suspicious LSASS Access Via MalSecLogon
sigmahigh
Suspicious Lsass Process Access
elasticmedium
Suspicious Module Loaded by LSASS
elasticmedium
Suspicious Process Access to LSASS with Dbgcore/Dbghelp DLLs
sigmahigh
Suspicious Renamed Comsvcs DLL Loaded By Rundll32
sigmahigh
Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded
sigmahigh
Time Travel Debugging Utility Usage
sigmahigh
Time Travel Debugging Utility Usage - Image
sigmahigh
Transferring Files with Credential Data via Network Shares
sigmamedium
Transferring Files with Credential Data via Network Shares - Zeek
sigmamedium
Unsigned Image Loaded Into LSASS Process
sigmamedium
WerFault LSASS Process Memory Dump
sigmahigh
Windows Credential Dumping LSASS Memory Createdump
splunk_escu
Windows Credential Editor Registry
sigmacritical
Windows Hunting System Account Targeting Lsass
splunk_escu
Windows Non-System Account Targeting Lsass
splunk_escu
Windows Possible Credential Dumping
splunk_escu