CRITICAL Microsoft Sysmon Credential Dumping / Post-Exploitation LTR-0003 ✓ validated

Detect LSASS Credential Dumping with Sysmon

MITRE ATT&CK: T1003.001T1055

Sigma Rule

title: LSASS Process Access — Credential Dumping
id: c47a1e9d-3b62-4d57-8f0a-6b2d9e4c1a03
status: experimental
description: >
  Detects a process opening a handle to lsass.exe with access rights used to
  read process memory (credential dumping), the technique behind Mimikatz,
  comsvcs.dll MiniDump, and most hands-on-keyboard intrusions. Sysmon Event ID 10
  (ProcessAccess) on a TargetImage of lsass.exe.
references:
  - https://attack.mitre.org/techniques/T1003/001/
author: LogTriage
date: 2026/06/22
logsource:
  product: windows
  category: process_access
detection:
  selection:
    EventID: 10
    TargetImage|endswith: '\lsass.exe'
    GrantedAccess:
      - '0x1010'
      - '0x1410'
      - '0x1438'
      - '0x143a'
      - '0x1fffff'
  filter_legit:
    SourceImage|endswith:
      - '\wininit.exe'
      - '\csrss.exe'
      - '\MsMpEng.exe'
  condition: selection and not filter_legit
falsepositives:
  - EDR/AV and Windows internals accessing LSASS (allowlist SourceImage)
  - Sanctioned credential/backup tooling
level: critical
tags:
  - attack.credential_access
  - attack.t1003.001

What this rule detects

lsass.exe holds the credential material (NTLM hashes, Kerberos tickets, sometimes plaintext) for interactive Windows sessions. Dumping it is the single most common post-exploitation step in hands-on-keyboard intrusions — the heart of Mimikatz, comsvcs.dll MiniDump, and most ransomware playbooks (MITRE T1003.001).

This Sigma rule fires on Sysmon Event ID 10 (ProcessAccess) where the TargetImage is lsass.exe and the GrantedAccess mask includes the read rights needed to scrape memory — while excluding the legitimate Windows components that routinely touch LSASS.

Detection logic

The precision comes from the access mask, not the target. Everything touches LSASS; only a handful of access-right combinations (0x1010, 0x1410, 0x143a, 0x1fffff, …) correspond to the PROCESS_VM_READ + query rights an attacker needs to read credential material. Matching those masks — and allowlisting known-good SourceImages like wininit.exe and your EDR agent — keeps the noise down.

For even higher fidelity, alert hardest when the SourceImage is itself suspicious: rundll32.exe, powershell.exe, or any binary running from C:\Temp / a user profile.

Validated against a real sample

Validated against sysmon_attack.xml (shipped with LogTriage), which contains an Event ID 10 ProcessAccess targeting C:\Windows\System32\lsass.exe alongside a CreateRemoteThread into LSASS and a beacon.exe C2 connection. LogTriage’s host-activity scorer floors these events to a high risk score and the report comes back critical — no SIEM required.

False positives

Legitimate Windows internals and EDR/AV agents access LSASS constantly; the filter_legit allowlist removes the obvious ones. Add your endpoint-protection product’s process image to the allowlist, and treat access from script interpreters or temp-directory binaries as high-confidence malicious.

Frequently Asked Questions

Why match on GrantedAccess masks instead of just any access to lsass.exe?
Almost everything on Windows touches LSASS for benign reasons. The access masks (0x1010, 0x1410, 0x143a, …) single out handles opened with PROCESS_VM_READ / QUERY rights — the combination actually needed to scrape credential material from LSASS memory — which dramatically cuts noise versus alerting on any handle.
Will this catch Mimikatz and comsvcs.dll MiniDump?
Yes — both open LSASS with read access and surface as Sysmon Event ID 10 with these masks. Note that defenders should pair this with detections for LSASS dump *files* and unusual SourceImages (e.g. rundll32, powershell, a binary in C:\Temp).
How does LogTriage score this without a SIEM?
LogTriage's host-activity scorer floors any event referencing LSASS access, remote-thread injection, encoded PowerShell, or known offensive tooling to a high risk score, so endpoint attacks escalate to AI analysis even when there's no network IOC. Upload a Sysmon export and it surfaces automatically.

Related Resources

See this detection run on a real report

Try the live demo with a pre-loaded malicious log set — no signup required — or upload your own log file and get a full AI-reviewed threat report in minutes.