detection.wiki

OS Credential Dumping: LSASS Memory T1003.001

Tactic: Credential Access

Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct Lateral Movement using Use Alternate Authentication Material.

Events covered

29 catalog events are tagged with this technique by at least one rule.

ProviderEventTitle
SysmonEvent ID 1Process creation
SysmonEvent ID 7Image loaded
SysmonEvent ID 8CreateRemoteThread
SysmonEvent ID 10ProcessAccess
SysmonEvent ID 11FileCreate
SysmonEvent ID 12RegistryEvent (Object create and delete)
SysmonEvent ID 13RegistryEvent (Value Set)
SysmonEvent ID 14RegistryEvent (Key and Value Rename)
SysmonEvent ID 17PipeEvent (Pipe Created)
SysmonEvent ID 18PipeEvent (Pipe Connected)
Security-AuditingEvent ID 4656A handle to an object was requested.
Security-AuditingEvent ID 4657A registry value was modified.
Security-AuditingEvent ID 4661A handle to an object was requested.
Security-AuditingEvent ID 4663An attempt was made to access an object.
Security-AuditingEvent ID 4673A privileged service was called.
Security-AuditingEvent ID 4688A new process has been created.
Security-AuditingEvent ID 4690An attempt was made to duplicate a handle to an object.
Security-AuditingEvent ID 4697A service was installed in the system.
Security-AuditingEvent ID 4703A user right was adjusted.
Security-AuditingEvent ID 5145A network share object was checked to see whether client can be granted desired access.
Application-ErrorEvent ID 1000Faulting application name: Faulting_application_name, version: version, time stamp: 0xFaulting_module_name.
Defender-DeviceEventsOpenProcessApiCallProcess opened (OpenProcess API call)
Defender-DeviceEventsProcessPrimaryTokenModifiedProcess primary token modified
Kernel-Audit-API-CallsEvent ID 5OpenProcess API call audited
PowerShellEvent ID 4103Payload Context: ContextInfo User Data: UserData.
PowerShellEvent ID 4104Creating Scriptblock text (MessageNumber of MessageTotal).
Windows-DefenderEvent ID 1121Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
PowerShellEvent ID 800Event ID 800
Service-Control-ManagerEvent ID 7045A service was installed in the system.

Authoring guide

Patterns shared across the 168 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (85 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
Image58ends_with 44, contains 9, eq 8, regex_match 7, starts_with 2, is_not_null 1\rundll32.exe, \\lsass\.exe$, \powershell.exe, \pwsh.exe, ?:\windows\system32\lsass.exe
CommandLine45contains 37, match 5, ends_with 2, in 2, regex_match 2, starts_with 1, wildcard 1 --full , --name , -f , -ma , full
TargetImage28ends_with 23, eq 4, in 1\lsass.exe, lsass.exe, ?:\windows\system32\lsass.exe, \\lsass.exe, \system32\lsass.exe
EventID25eq 24, in 14688, 10, 1, 4656, 11
OriginalFileName19eq 18, contains 1, is_null 1fx_ver_internalname_str, procdump, dumpminitool.arm64.exe, dumpminitool.exe, dumpminitool.x86.exe
process_name19eq 9, ends_with 8, contains 3, in 1, is_not_null 1, match 1, starts_with 1, wildcard 1\lsass.exe, :\program files (x86)\, :\program files\, procdump.exe, rundll32.exe
GrantedAccess17eq 14, ends_with 5, contains 1, in 1, starts_with 10x1010, 0x1410, 0x1fffff, 0x1418, 0x1438
TargetFilename16contains 8, ends_with 7, regex_match 6, starts_with 2, eq 1.dmp, \.dmp$, \lsass, *lsass*.dmp, .mdmp
CallTrace13contains 12, ends_with 1, in 1, match 1, starts_with 1dbgcore.dll, dbghelp.dll, seclogon.dll, ), *dbgcore.dll*
ParentImage9eq 3, regex_match 3, ends_with 2, contains 1%hacktool_contains, %hacktool_regex, :\\windows\\(system32|syswow64)\\taskmgr\.exe$, ?:\windows\system32\lsass.exe, \\rundll32\.exe$
ObjectName8ends_with 6, starts_with 2\lsass.exe, CN=, DC=, S-1-5-21-, \System32\lsass.exe
Hashes7contains 7imphash=0e2216679ca6e1094d63322e3412d650, imphash=136f0a8572c058a96436c82e541e4c41, imphash=281d618f4e6271e527e6386ea6f748de, imphash=32f5095c9bbdcacf28fd4060eb4dfc42, imphash=38d9e015591bbfd4929e0d0f47fa0055
ObjectType7eq 7Process, SAM_DOMAIN, SAM_SERVER, SAM_USER
TargetObject7contains 4, wildcard 2, eq 1*\system\*controlset*\control\lsa\runasppl, *\system\*controlset*\control\securityproviders\wdigest\u..., \registry\machine\software\microsoft\windows\windows..., \software\microsoft\windows\windows error..., \software\microsoft\windows\windows error...
EventType6eq 5, ne 1cred_theft_event, IntrusionEvent, ProcessPrimaryTokenModified, deletion, load

Top indicator values (1419 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
TargetImageends_with
\lsass.exe
1616
TargetImageends_with
lsass.exe
56
EventIDeq
4688
8313
EventIDeq
10
716
EventIDeq
1
4237
EventIDeq
4656
419
Imageends_with
\rundll32.exe
695
CommandLinecontains
.dmp
510
CommandLinecontains
--full
44
CommandLinecontains
--name
44
CommandLinecontains
-f
48
CommandLinecontains
-u
48
CommandLinecontains
lsass
49
GrantedAccesseq
0x1fffff
59
event.categoryeq
process
5128
CallTracecontains
dbgcore.dll
44
CallTracecontains
dbghelp.dll
44
GrantedAccessends_with
0x14c2
44
GrantedAccessends_with
10
44
GrantedAccessends_with
18
44
GrantedAccessends_with
1a
44
GrantedAccessends_with
30
44
GrantedAccessends_with
38
44
GrantedAccessends_with
3a
44
GrantedAccessends_with
50
44
GrantedAccessends_with
58
44
GrantedAccessends_with
5a
44
GrantedAccessends_with
70
44
GrantedAccessends_with
78
44
GrantedAccessends_with
7a
44

Exclusions (405 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
SubjectUserNameends_with
$
4
Imageends_with
\aurora-agent-64.exe
3
Imageends_with
\aurora-agent.exe
3
Imageends_with
\mbaminstallerservice.exe
3
Imageends_with
\thor.exe
3
Imageends_with
\thor64.exe
3
Imageends_with
\dropboxupdate.exe
2
process_nameeq
c:\windows\system32\wbem\wmiprvse.exe
3
GrantedAccesseq
0x1410
2
GrantedAccesseq
0x40
2
GrantedAccesseq
0x410
2
Imagecontains
\appdata\local\
2
Imagecontains
\appdata\local\temp\
2
Imagecontains
\steamlibrary\steamapps\
2
Imagecontains
\vs_bootstrapper_
2

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Platform (all)
Domain (all)

Sigma 90 rules

Elastic 23 rules

Splunk 26 rules

Kusto 8 rules

YARA-L 18 rules

Panther 3 rules