Why LSASS Is Ground Zero for Credential Theft

The Local Security Authority Subsystem Service (LSASS) is the crown jewel of Windows credential material. It caches NTLM hashes, Kerberos tickets, and plaintext passwords (on older systems or with WDigest enabled) for every authenticated user. When an attacker gains SYSTEM or SeDebugPrivilege, dumping LSASS is frequently their first lateral movement enabler.

Mimikatz’s sekurlsa::logonpasswords has been standard tradecraft since 2014 — but the technique remains devastatingly effective. Understanding what happens at the OS level is the prerequisite to building detections that actually fire.

Attack Mechanics

LSASS credential dumping at a technical level involves one of three broad approaches:

  1. Direct memory read — using OpenProcess + ReadProcessMemory (Mimikatz in-memory, pypykatz)
  2. MiniDump via Windows APIMiniDumpWriteDump through tools like procdump, Task Manager, or custom loaders
  3. Volume Shadow Copy / registry hive extraction — offline SAM/SYSTEM/SECURITY extraction (out of scope for this guide)

The in-memory paths leave very specific OS-level artifacts regardless of the tool used, which is exactly what we hunt.

Key Log Sources

Log SourceEvent IDWhat It Captures
Sysmon10Process access events (OpenProcess to LSASS)
Windows Security4656Handle requested for LSASS object
Windows Security4663Access to LSASS process object
Sysmon7Image load (e.g. suspicious DLL in Mimikatz context)
Windows Defender1121ASR rule block for credential dumping

Sysmon Event ID 10 is your highest-fidelity source. It captures the calling process, the target process (LSASS), and critically the granted access mask — the specific permission bits the caller requested.

High-Value Access Masks

Not all OpenProcess calls to LSASS are malicious — many legitimate processes (AV, EDR, Windows itself) open LSASS handles. The differentiator is the access rights requested:

  • 0x1010PROCESS_VM_READ | PROCESS_QUERY_LIMITED_INFORMATION (common in Mimikatz)
  • 0x1FFFFF — Full access (extremely suspicious from non-OS processes)
  • 0x1F3FFF — Another full-access pattern seen in commodity tools
  • 0x410 — Seen in procdump-style minidump creation

Sigma Rules

Core LSASS Access Detection

title: LSASS Memory Access via Suspicious Process
id: 5ef0a81d-1b23-4b7e-9f2a-3d456789abcd
status: stable
description: Detects suspicious OpenProcess calls targeting LSASS with credential-dumping access masks
references:
  - https://attack.mitre.org/techniques/T1003/001/
author: SOC Analyst Hub
date: 2025/10/15
tags:
  - attack.credential_access
  - attack.t1003.001
logsource:
  category: process_access
  product: windows
detection:
  selection:
    TargetImage|endswith: '\lsass.exe'
    GrantedAccess|contains:
      - '0x1010'
      - '0x1410'
      - '0x1FFFFF'
      - '0x1F3FFF'
      - '0x143A'
      - '0x40'
  filter_legit:
    SourceImage|startswith:
      - 'C:\Windows\System32\'
      - 'C:\Windows\SysWOW64\'
      - 'C:\Program Files\Windows Defender\'
    SourceImage|endswith:
      - '\MsMpEng.exe'
      - '\SenseIR.exe'
      - '\csrss.exe'
      - '\wininit.exe'
  condition: selection and not filter_legit
falsepositives:
  - Legitimate AV/EDR products
  - Some backup agents
  - Security scanning tools
level: high

Procdump Targeting LSASS

title: Procdump Execution Targeting LSASS
id: a2b3c4d5-e6f7-8901-abcd-ef0123456789
status: stable
description: Detects procdump usage with LSASS as target process
logsource:
  category: process_creation
  product: windows
detection:
  selection_procdump:
    Image|endswith:
      - '\procdump.exe'
      - '\procdump64.exe'
  selection_lsass:
    CommandLine|contains:
      - 'lsass'
      - '-ma'
  condition: selection_procdump and selection_lsass
level: critical

Detecting MiniDump via Task Manager

A frequently overlooked vector — right-clicking LSASS in Task Manager and selecting “Create Dump File” is an effective technique that generates no Mimikatz-specific indicators. Look for:

  • Sysmon Event 11 (file creation) creating .dmp files in %TEMP% or unusual paths
  • Sysmon Event 10 from taskmgr.exe targeting lsass.exe
title: LSASS Dump File Created in Suspicious Location
logsource:
  category: file_event
  product: windows
detection:
  selection:
    TargetFilename|contains: 'lsass'
    TargetFilename|endswith: '.dmp'
  filter_wer:
    TargetFilename|startswith: 'C:\Windows\System32\config\systemprofile\'
  condition: selection and not filter_wer
level: high

Tuning and False Positives

The most common tuning challenges are:

EDR and AV products — Every endpoint security product reads LSASS. Build an allowlist of known-good hashes or paths for your deployed security stack and add them to the filter_legit condition.

Windows Error Reporting (WER) — WER creates minidumps legitimately. Filter on the WER service path and confine file-creation alerts to unexpected directories.

SCCM / backup agents — Some enterprise backup solutions open LSASS handles. Validate with your asset team and add signed-binary filters.

Detection Validation

Test your detections with:

  1. Atomic Red Team — T1003.001 test cases (requires local admin, test in isolated VM)
  2. Invoke-Mimikatz in PowerShell (disable AV, test environment only)
  3. procdump.exe -ma lsass.exe lsass_dump (Sysinternals, no AV bypass needed for testing)

Run each technique and confirm your Sysmon Event 10 alert fires before declaring a detection live.

Response Playbook

When LSASS dumping is confirmed:

  1. Isolate the host immediately — assume all credentials cached on that host are compromised
  2. Identify the source process — is it signed? From what parent?
  3. Check for lateral movement — query for authentication events from the host in the past 30 minutes
  4. Force credential rotation — for any accounts that were active sessions on the compromised host
  5. Collect memory if the threat actor is still active — volatile evidence degrades fast

Consider LSASS dumping a Tier-1 critical incident that requires immediate escalation, not just a ticket.