T1003.001 Defined ATT&CK T1003.001 ↗

OS Credential Dumping: LSASS Memory

Process Read ProcessSegment — Read credential material from the memory segment of the Local Security Authority Subsystem Service (LSASS) process.

Ontological Definition

ActorProcess

→

ActionRead

→

ArtifactProcessSegment

Detect

STP 5

process.file.name = lsass.exe is necessary and sufficient to scope detection to this technique. Any unprivileged process opening LSASS with PROCESS_VM_READ access is STP 5 regardless of tool. Rules targeting the tool by name or hash are STP 1–2.

Gate on

activity_id = Open (PROCESS_VM_READ)

process.file.name = lsass.exe

Detect PROCESS_VM_READ handle opens on lsass.exe from non-system processes using kernel telemetry. This is technique-defining and tool-agnostic. PPL on LSASS generates kernel events on bypass attempts.

Mitigate

STP 5

Enabling LSASS as a Protected Process Light (PPL) prevents arbitrary process memory reads at the kernel level, regardless of tool or technique variant.

Enable Credential Guard and LSASS PPL via Windows Defender Credential Guard or direct LSA protection registry settings. Blocking specific tools (Mimikatz signatures) is STP 1–2.

Respond

Disclosed

The attacker received a copy — the original data remains on the victim system. Assess what was read and whether it includes credentials or PII. Notify affected parties as required.

Attacker foothold

Dump Toolactor.process

Running Accountactor.user

D3FEND response actions

d3f:ProcessTerminationd3f:AccountLockingd3f:NetworkIsolation

OCSF event model▼

Event class: Process Activity (1007) · activity_id: Open (PROCESS_VM_READ)

attacker-controlledpost-successvictimtainted

%%{init: {"theme": "dark", "themeVariables": {"edgeLabelBackground": "#18181b", "lineColor": "#52525b"}}}%%
graph TD
  classDef attacker fill:#7c2d12,stroke:#ea580c,color:#fed7aa
  classDef victim fill:#1e3a5f,stroke:#3b82f6,color:#bfdbfe
  classDef postSuccess fill:#78350f,stroke:#d97706,color:#fde68a
  classDef tainted fill:#18181b,stroke:#52525b,color:#a1a1aa

  EVENT(["Process Activity\n· Open (PROCESS_VM_READ)"])

  actor_process["Dump Tool\nactor.process\nd3f:Process"]:::attacker
  actor_user["Running Account\nactor.user\nd3f:UserAccount"]:::attacker
  lsass_process["LSASS\nprocess\nd3f:Process"]:::victim
  device["Host\ndevice\nd3f:Host\n⚠ tainted"]:::tainted

  EVENT --> actor_process
  actor_process --> actor_user
  EVENT --> lsass_process
  EVENT --> device

  actor_process -.->|"reads memory of"| lsass_process

Dump Tool

actor.process·d3f:Process

attacker-controlled

`actor.process.file.path`	attacker_controlled	Tool binary path — attacker-chosen Execution Medium, trivially changed
`actor.process.file.hash`	attacker_controlled	Tool hash — changes with every recompile
`actor.process.file.name`	attacker_controlled	Tool filename — trivially renamed

Countermeasures

d3f:ProcessTermination

Running Account

actor.user·d3f:UserAccount

attacker-controlled

Countermeasures

d3f:AccountLocking

LSASS

process·d3f:Process

victim

`process.file.name`	invariant	`= lsass.exe`
`process.pid`	variable	LSASS process identifier — victim-side, varies per boot

Host

device·d3f:Host

tainted

Countermeasures

d3f:NetworkIsolation

Definitional Sigma rule▼

Broad by design — defines the technique, not an operational alert. Gate on variable or attacker-controlled field conditions to narrow for production use.

title: OS Credential Dumping: LSASS Memory (T1003.001)
status: experimental
description: >
  Definitional rule — broad by design. Defines the technique independent of
  medium, tool, or attacker-controlled variables. Narrow with variable and
  attacker-controlled field conditions for operational use.
logsource:
  product: ocsf
  category: Process Activity (1007)
detection:
  selection:
    activity_id: 'Open (PROCESS_VM_READ)'
    process.file.name: 'lsass.exe'
  condition: selection

title: OS Credential Dumping: LSASS Memory (T1003.001) — native Sigma
status: experimental
description: >
  Generated from OCSF definitional rule. Broad by design — defines the technique,
  not an operational alert. Targets standard Windows/Sysmon telemetry.
logsource:
  product: windows
  category: process_access
detection:
  selection:
    TargetImage: 'lsass.exe'
  condition: selection

Execution Medium–scoped detectionSTP 3 ceiling▼

Sample rules — not canonical definitions. Each constrains detection to a specific Execution Medium and has a hard STP 3 ceiling. The attacker switches Execution Medium; the rule misses. Compare with the definitional rule above.

STP 3

Gating on actor.process.file.name = powershell.exe has a hard STP 3 ceiling — evaded immediately by switching to a compiled binary, cmd.exe with direct API calls, or any other Execution Medium. Technique is unchanged.

non-native OCSF fieldsprocess.access_mask → extension proposal ↗

title: LSASS Memory — PowerShell medium (sample)
status: experimental
description: >
  Sample — STP 3 ceiling. Detects a PowerShell process opening lsass.exe
  with read-memory access rights. Evaded by switching to any other Execution Medium.
logsource:
  product: ocsf
  category: Process Activity (1007)
detection:
  selection:
    activity_id: 'Open'
    process.access_mask: 'PROCESS_VM_READ'  # NOTE: not OCSF native; implementation-specific access rights field
    process.file.name: 'lsass.exe'
    actor.process.file.name: 'powershell.exe'
  condition: selection

STP 3

Excluding known system paths tightens the rule but has a hard STP 3 ceiling: placing the binary in a trusted location, or injecting into a trusted process before reading LSASS, defeats the filter entirely.

non-native OCSF fieldsprocess.access_mask → extension proposal ↗

title: LSASS Memory — native API / custom binary medium (sample)
status: experimental
description: >
  Sample — STP 3 ceiling. Detects non-system processes opening lsass.exe
  with read-memory access. Evaded by running from a trusted system path or
  injecting into a trusted process first.
logsource:
  product: ocsf
  category: Process Activity (1007)
detection:
  selection:
    activity_id: 'Open'
    process.access_mask: 'PROCESS_VM_READ'  # NOTE: not OCSF native; implementation-specific access rights field
    process.file.name: 'lsass.exe'
  filter_system:
    actor.process.file.path|startswith:
      - 'C:\Windows\System32\'
      - 'C:\Windows\SysWOW64\'
  condition: selection and not filter_system

STP 3

The comsvcs.dll MiniDump method (rundll32 comsvcs.dll MiniDump <pid> <out> full) uses a Windows-signed binary as the reader. Detecting rundll32.exe as the actor is STP 3 — the attacker switches binary; the LSASS handle is unchanged. Adding the MiniDump cmd_line condition reduces false positives at no STP cost.

non-native OCSF fieldsprocess.access_mask → extension proposal ↗

title: LSASS Memory — comsvcs.dll / rundll32 medium (sample)
status: experimental
description: >
  Sample — STP 3 ceiling. Detects the comsvcs.dll MiniDump method invoked via
  rundll32, scoped to the MiniDump export to reduce false positives.
  Evaded immediately by switching to any other medium.
logsource:
  product: ocsf
  category: Process Activity (1007)
detection:
  selection:
    activity_id: 'Open'
    process.access_mask: 'PROCESS_VM_READ'  # NOTE: not OCSF native; implementation-specific access rights field
    process.file.name: 'lsass.exe'
    actor.process.file.name: 'rundll32.exe'
    actor.process.cmd_line|contains: 'MiniDump'
  condition: selection

Seen in the wild1report▼

Cloud Atlas 2026: New Backdoors, Kerberoasting, and Tor Tunneling ↗

Kaspersky·2026-05-22

PowerShower creates a VSS shadow copy of the C: drive and copies the SAM and SECURITY registry hives to disk — OS credential dumping via volume shadow, parallel to LSASS memory reads.