DET0363 Detection of Credential Dumping from LSASS Memory via Access and Dump Sequence

Item	Value
ID	DET0363
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1003.001 (LSASS Memory)

Analytics

Windows

AN1030

A non-privileged or abnormal process attempts to open a handle with full access (0x1F0FFF) to lsass.exe and subsequently invokes memory dump, file creation, or registry modification indicative of credential scraping. This behavior chain reflects staged credential theft activity.

Log Sources

Data Component	Name	Channel
Process Access (DC0035)	WinEventLog:Sysmon	EventCode=10
Process Creation (DC0032)	WinEventLog:Sysmon	EventCode=1
File Creation (DC0039)	WinEventLog:Sysmon	EventCode=11
User Account Metadata (DC0013)	WinEventLog:Security	EventCode=4673
Windows Registry Key Modification (DC0063)	WinEventLog:Sysmon	EventCode=13, 14

Mutable Elements

Field	Description
AccessMask	Set to 0x1F0FFF to detect full memory access attempts; can be scoped down to reduce noise.
TimeWindow	Defines time between LSASS access and dump file creation or registry modification (e.g., 5 minutes).
ParentProcessName	Allowlist known legitimate tools (e.g., AV/EDR) accessing lsass.exe.
DumpFilePath	Paths where memory dumps are written, e.g., %TEMP%, C:\Windows\Temp.
CommandLinePattern	Common dumping syntax like rundll32, procdump, comsvcs.dll, Invoke-Mimikatz.