Detect LSASS Credential Dumping with Sysmon
Sigma Rule
title: LSASS Process Access — Credential Dumping
id: c47a1e9d-3b62-4d57-8f0a-6b2d9e4c1a03
status: experimental
description: >
Detects a process opening a handle to lsass.exe with access rights used to
read process memory (credential dumping), the technique behind Mimikatz,
comsvcs.dll MiniDump, and most hands-on-keyboard intrusions. Sysmon Event ID 10
(ProcessAccess) on a TargetImage of lsass.exe.
references:
- https://attack.mitre.org/techniques/T1003/001/
author: LogTriage
date: 2026/06/22
logsource:
product: windows
category: process_access
detection:
selection:
EventID: 10
TargetImage|endswith: '\lsass.exe'
GrantedAccess:
- '0x1010'
- '0x1410'
- '0x1438'
- '0x143a'
- '0x1fffff'
filter_legit:
SourceImage|endswith:
- '\wininit.exe'
- '\csrss.exe'
- '\MsMpEng.exe'
condition: selection and not filter_legit
falsepositives:
- EDR/AV and Windows internals accessing LSASS (allowlist SourceImage)
- Sanctioned credential/backup tooling
level: critical
tags:
- attack.credential_access
- attack.t1003.001
What this rule detects
lsass.exe holds the credential material (NTLM hashes, Kerberos tickets, sometimes plaintext) for
interactive Windows sessions. Dumping it is the single most common post-exploitation step in
hands-on-keyboard intrusions — the heart of Mimikatz, comsvcs.dll MiniDump, and most
ransomware playbooks (MITRE T1003.001).
This Sigma rule fires on Sysmon Event ID 10 (ProcessAccess) where the TargetImage is
lsass.exe and the GrantedAccess mask includes the read rights needed to scrape memory — while
excluding the legitimate Windows components that routinely touch LSASS.
Detection logic
The precision comes from the access mask, not the target. Everything touches LSASS; only a
handful of access-right combinations (0x1010, 0x1410, 0x143a, 0x1fffff, …) correspond to the
PROCESS_VM_READ + query rights an attacker needs to read credential material. Matching those
masks — and allowlisting known-good SourceImages like wininit.exe and your EDR agent — keeps the
noise down.
For even higher fidelity, alert hardest when the SourceImage is itself suspicious: rundll32.exe,
powershell.exe, or any binary running from C:\Temp / a user profile.
Validated against a real sample
Validated against sysmon_attack.xml (shipped with LogTriage), which contains an Event ID 10
ProcessAccess targeting C:\Windows\System32\lsass.exe alongside a CreateRemoteThread into LSASS
and a beacon.exe C2 connection. LogTriage’s host-activity scorer
floors these events to a high risk score and the report comes back critical — no SIEM required.
False positives
Legitimate Windows internals and EDR/AV agents access LSASS constantly; the filter_legit
allowlist removes the obvious ones. Add your endpoint-protection product’s process image to the
allowlist, and treat access from script interpreters or temp-directory binaries as high-confidence
malicious.
Frequently Asked Questions
- Why match on GrantedAccess masks instead of just any access to lsass.exe?
- Almost everything on Windows touches LSASS for benign reasons. The access masks (0x1010, 0x1410, 0x143a, …) single out handles opened with PROCESS_VM_READ / QUERY rights — the combination actually needed to scrape credential material from LSASS memory — which dramatically cuts noise versus alerting on any handle.
- Will this catch Mimikatz and comsvcs.dll MiniDump?
- Yes — both open LSASS with read access and surface as Sysmon Event ID 10 with these masks. Note that defenders should pair this with detections for LSASS dump *files* and unusual SourceImages (e.g. rundll32, powershell, a binary in C:\Temp).
- How does LogTriage score this without a SIEM?
- LogTriage's host-activity scorer floors any event referencing LSASS access, remote-thread injection, encoded PowerShell, or known offensive tooling to a high risk score, so endpoint attacks escalate to AI analysis even when there's no network IOC. Upload a Sysmon export and it surfaces automatically.
Related Resources
See this detection run on a real report
Try the live demo with a pre-loaded malicious log set — no signup required — or upload your own log file and get a full AI-reviewed threat report in minutes.