Sysmon 10
Sysmon Event ID for process access: the primary LSASS dump detection signal, captures which process opened a handle to lsass.exe and with what access rights
LSASS
Most targeted process for credential extraction: contains cached credentials for all currently logged-in users, service accounts, and domain accounts that have authenticated on the system
0x1010
Access mask for PROCESS_VM_READ + PROCESS_QUERY_LIMITED_INFORMATION: the minimal access needed to dump LSASS memory and a key detection indicator
Credential Guard
Windows 10/11 and Server 2016+ feature that stores credentials in an isolated Hyper-V VBS container: Mimikatz cannot extract credentials even with SYSTEM access

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

LSASS is the process that handles Windows authentication: it stores plaintext credentials for WDigest-authenticated sessions, NTLM hashes, Kerberos tickets, and cached domain credentials. It is the primary target of credential theft tools because reading it once yields credentials for every user who has authenticated on the system.

Detection has two tracks: alerting on the access (who is opening a handle to LSASS with memory-read access rights) and implementing Credential Guard, which makes extraction fail even when the process is accessed.

LSASS Dump Techniques and Their Signatures

Technique 1: Mimikatz sekurlsa::logonpasswords

Requires: SYSTEM or SeDebugPrivilege
Action: Opens lsass.exe handle with PROCESS_VM_READ access
Sysmon Event 10: SourceImage = mimikatz.exe, TargetImage = lsass.exe
Access mask: 0x1010 (PROCESS_VM_READ | PROCESS_QUERY_LIMITED_INFORMATION)

Technique 2: ProcDump (legitimate Microsoft tool, frequently abused)

# Attacker command:
procdump.exe -ma lsass.exe C:\Windows\Temp\lsass.dmp

Sysmon Event 10: SourceImage = procdump.exe, TargetImage = lsass.exe
Also: Sysmon Event 11 (FileCreate) for the .dmp file

Technique 3: comsvcs.dll MiniDump (lives-off-the-land, no custom tool)

# No external tools required: uses a built-in Windows DLL
$lsassPID = (Get-Process lsass).Id
rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump $lsassPID C:\Windows\Temp\lsass.dmp full

Sysmon Event 10: SourceImage = rundll32.exe, TargetImage = lsass.exe
Sysmon Event 7 (ImageLoad): comsvcs.dll loaded by rundll32.exe

Technique 4: Task Manager (interactive, lower stealth)

Details tab > lsass.exe > right-click > Create dump file
Sysmon Event 10: SourceImage = taskmgr.exe, TargetImage = lsass.exe

Technique 5: Custom process injection / direct syscalls (advanced evasion)

Evades by:
- Not opening a handle to lsass.exe directly (uses kernel handles)
- Using direct syscalls to avoid EDR API hooks
- Dumping via a remote process (another machine reads LSASS over SMB)
Harder to detect: behavioral analysis of the resulting dump file or
correlation with network connections is required

Sysmon Event ID 10 Detection Rules

Sysmon Event ID 10 fires when any process opens a handle to another process. Configure Sysmon to log LSASS access:

Sysmon config for LSASS monitoring:

<RuleGroup name="" groupRelation="or">
  <ProcessAccess onmatch="include">
    <!-- Any process accessing LSASS -->
    <TargetImage condition="end with">lsass.exe</TargetImage>
  </ProcessAccess>
</RuleGroup>

<!-- Optionally, exclude known legitimate LSASS accessors to reduce noise -->
<ProcessAccess onmatch="exclude">
  <SourceImage condition="end with">MsMpEng.exe</SourceImage>  <!-- Windows Defender -->
  <SourceImage condition="end with">csrss.exe</SourceImage>
  <SourceImage condition="end with">wininit.exe</SourceImage>
  <SourceImage condition="end with">services.exe</SourceImage>
  <GrantedAccess condition="is">0x1000</GrantedAccess>  <!-- PROCESS_QUERY_LIMITED only -->
</ProcessAccess>

Microsoft Sentinel KQL: LSASS access detection:

SysmonEvent
| where EventID == 10  // ProcessAccess
| where TargetImage endswith "lsass.exe"
| where SourceImage !in (
    "C:\\Windows\\System32\\MsMpEng.exe",
    "C:\\Windows\\System32\\csrss.exe",
    "C:\\Windows\\System32\\wininit.exe",
    "C:\\Windows\\System32\\svchost.exe",
    "C:\\Windows\\System32\\services.exe",
    "C:\\Program Files\\Windows Defender\\MsMpEng.exe"
  )
// Alert specifically on access masks used for memory reading
| where GrantedAccess in~ ("0x1010", "0x1038", "0x40", "0x1410", "0x1fffff")
    or GrantedAccess has "0x10"  // PROCESS_VM_READ bit
| project
    TimeGenerated,
    Computer,
    SourceImage,
    SourceUser,
    TargetImage,
    GrantedAccess,
    CallTrace
| sort by TimeGenerated desc

Splunk SPL: LSASS dump file creation:

(index=sysmon EventCode=11 TargetFilename="*.dmp")
OR (index=sysmon EventCode=10 TargetImage="*lsass*" NOT SourceImage IN ("*MsMpEng*","*csrss*","*wininit*"))
| eval risk=case(
    match(TargetFilename, "lsass"), "CRITICAL",
    EventCode==10 AND match(GrantedAccess, "0x1010|0x1fffff"), "HIGH",
    true(), "MEDIUM"
  )
| table _time, ComputerName, SourceImage, TargetImage, TargetFilename, GrantedAccess, risk
| sort -_time
Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Mitigation: Credential Guard and LSASS Protection

Detection alerts you after the fact. Mitigation prevents credential extraction even when LSASS is accessed.

Credential Guard (most effective mitigation):

Credential Guard stores NTLM hashes and Kerberos tickets in a Hyper-V isolated container (Virtual Secure Mode). Even with SYSTEM access, tools like Mimikatz cannot extract these credentials because they never appear in the regular OS memory space.

Requirements: Windows 10/11 Enterprise or Education, Server 2016+, UEFI Secure Boot, 64-bit CPU with virtualization extensions.

# Enable via Group Policy:
# Computer Configuration > Administrative Templates >
# System > Device Guard >
# "Turn On Virtualization Based Security" = Enabled
# > Credential Guard Configuration = Enabled with UEFI lock

# Or via registry:
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v EnableVirtualizationBasedSecurity /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v RequirePlatformSecurityFeatures /t REG_DWORD /d 3 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v LsaCfgFlags /t REG_DWORD /d 1 /f

# Verify Credential Guard is running
(Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard).SecurityServicesRunning
# 1 = VSM, 2 = Credential Guard: should see 2 in the output

LSASS Protected Process Light (PPL):

PPL marks LSASS as a protected process: standard user-mode tools cannot open a debug handle to it:

# Enable via registry (reboot required)
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v RunAsPPL /t REG_DWORD /d 1 /f

# Or via Group Policy:
# Computer Configuration > Administrative Templates >
# System > Local Security Authority >
# "Configure LSASS to run as a protected process" = Enabled

Note: PPL blocks many LSASS dump techniques but can be bypassed by kernel-level rootkits. Credential Guard is more robust.

Disable WDigest authentication (prevents plaintext password caching):

# WDigest is disabled by default in Windows 8.1 and Server 2012 R2+
# Verify it is disabled:
(Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest).UseLogonCredential
# Should return 0 or not exist

# If it is 1 (enabled), disable it:
Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest \
  -Name UseLogonCredential -Value 0

The bottom line

LSASS credential dumping is detected via Sysmon Event ID 10 filtered for LSASS as the target with access masks that include PROCESS_VM_READ (0x10 bit), excluding known-legitimate processes. The key techniques to detect: Mimikatz (direct handle to lsass.exe), ProcDump (procdump.exe targeting lsass), comsvcs.dll MiniDump (rundll32 loading comsvcs.dll), and Task Manager dumps. Prevention is more reliable than detection: enable Credential Guard on all workstations and servers (stores credentials in VBS container, inaccessible to user-mode tools), enable LSASS PPL, and disable WDigest to prevent plaintext password caching.

Frequently asked questions

How do you detect Mimikatz LSASS credential dumping?

Deploy Sysmon and monitor Event ID 10 (process access) where TargetImage is lsass.exe and GrantedAccess includes the PROCESS_VM_READ bit (0x10). Filter out known legitimate LSASS accessors (MsMpEng.exe, csrss.exe, wininit.exe). Any remaining process opening LSASS with read access is suspicious. Also monitor for .dmp files created in temporary directories (Sysmon Event ID 11).

How do you prevent LSASS credential dumping?

Enable Windows Credential Guard (stores credentials in a Hyper-V VBS container inaccessible to user-mode code), enable LSASS Protected Process Light (RunAsPPL registry key), and disable WDigest authentication (prevents plaintext passwords from being cached in LSASS memory). Credential Guard is the most robust control: even with SYSTEM access, Mimikatz cannot extract credentials that Credential Guard protects.

What is Mimikatz and how does it dump credentials from LSASS?

Mimikatz is an open-source credential extraction tool created by Benjamin Delpy that reads credentials from the Windows Local Security Authority Subsystem Service (LSASS) process memory. The sekurlsa::logonpasswords command extracts NTLM hashes and, in older Windows configurations, plaintext passwords for all users with active sessions on the system. LSASS holds credentials in memory to support single sign-on across Windows services. Mimikatz requires SYSTEM or Debug privilege to access the LSASS process. It is used by virtually every major ransomware group and APT actor for credential harvesting during lateral movement.

What is Windows Credential Guard and how do I enable it?

Windows Credential Guard uses Hyper-V virtualization-based security (VBS) to isolate derived credentials in a separate virtual environment inaccessible to the main Windows OS. Even with SYSTEM-level access to the host, Mimikatz cannot extract Credential Guard-protected credentials because they exist in a separate VMs context. Enable: in Group Policy, Computer Configuration > Administrative Templates > System > Device Guard > Turn On Virtualization Based Security > set to Enabled with Credential Guard set to 'Enabled with UEFI lock'. Requires: 64-bit Windows 10/11 Enterprise (not Home or Pro), Secure Boot enabled, UEFI firmware (not BIOS), and hardware virtualization support. Check eligibility with Device Guard and Credential Guard hardware readiness tool.

What is LSASS Protected Process Light (PPL) and how does it differ from Credential Guard?

LSASS Protected Process Light (PPL) marks the LSASS process as a protected process, preventing code injection and memory reading by non-protected processes -- including processes running as SYSTEM. Enable via registry: HKLM\SYSTEM\CurrentControlSet\Control\Lsa, add DWORD RunAsPPL = 1, and restart. Unlike Credential Guard, PPL does not move credentials to an isolated VM: it just restricts which processes can access LSASS. PPL can be bypassed with kernel-level drivers. Credential Guard is the stronger control: it makes credential extraction technically infeasible even with kernel access, while PPL only raises the bar for user-mode attacks.

How do you differentiate legitimate LSASS access from credential dumping attempts using Windows event logs?

Event ID 4656 (handle requested to LSASS) and Event ID 10 in Sysmon (process access to LSASS) are the primary detection signals. Legitimate access comes from processes like antivirus engines, Windows Defender, and Local Security Authority Subsystem itself -- these have well-known parent processes and consistent access masks. Malicious access patterns include: unknown processes requesting PROCESS_VM_READ (0x0010) or PROCESS_QUERY_INFORMATION (0x0400) access masks, processes with uncommon parent relationships (e.g., cmd.exe spawning a process that reads LSASS), access occurring from unusual working directories, or access from processes without a valid code signature. In Microsoft Defender for Endpoint, the DeviceEvents table logs ProcessAccess events; query for FileName = 'lsass.exe' where InitiatingProcessFileName is not in your known-good allowlist. Correlate with network connections immediately following access: credential dumping is usually a precursor to lateral movement, so LSASS access followed within minutes by new SMB or RDP connections to other hosts is a high-confidence indicator of active credential theft.

Sources & references

  1. MITRE ATT&CK T1003.001: LSASS Memory
  2. Microsoft: Credential Guard Overview
  3. SwiftOnSecurity: Sysmon Configuration for LSASS

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.