T1003.001 — LSASS Memory

Technique

T1003.001

Tactics

Credential Access

MISP citations

0

KEV CVEs mapped

4

Community rules

79

thrunt rules

0

Upstream

https://attack.mitre.org/techniques/T1003/001

MITRE description

Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct [Lateral Movement](https://attack.mitre.org/tactics/TA0008) using [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550). As well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system. For example, on the target host use procdump: * <code>procdump -ma lsass.exe lsass_dump</code> Locally, mimikatz can be run using: * <code>sekurlsa::Minidump lsassdump.dmp</code> * <code>sekurlsa::logonPasswords</code> Built-in Windows tools such as `comsvcs.dll` can also be used: * <code>rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump PID lsass.dmp full</code>(Citation: Volexity Exchange Marauder March 2021)(Citation: Symantec Attacks Against Government Sector) Similar to [Image File Execution Options Injection](https://attack.mitre.org/techniques/T1546/012), the silent process exit mechanism can be abused to create a memory dump of `lsass.exe` through Windows Error Reporting (`WerFault.exe`).(Citation: Deep Instinct LSASS) Windows Security Support Provider (SSP) DLLs are loaded into LSASS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages</code> and <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages</code>. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014) The following SSPs can be used to access credentials: * Msv: Interactive logons, batch logons, and service logons are done through the MSV authentication package. * Wdigest: The Digest Authentication protocol is designed for use with Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges.(Citation: TechNet Blogs Credential Protection) * Kerberos: Preferred for mutual client-server domain authentication in Windows 2000 and later. * CredSSP: Provides SSO and Network Level Authentication for Remote Desktop Services.(Citation: TechNet Blogs Credential Protection)

KEV CVEs mapped to this technique

Per MITRE CTID's hand-curated KEV→ATT&CK mappings — these are the actively-exploited vulnerabilities behind this technique's KEV signal.

• CVE-2025-32706
• CVE-2025-32701
• CVE-2024-4577
• CVE-2023-26360

Detection coverage

SigmaHQ community rules

• NotPetya Ransomware Activity (emerging-threats)
• APT31 Judgement Panda Activity (emerging-threats)
• Dbghelp/Dbgcore DLL Loaded By Uncommon/Suspicious Process (threat-hunting)
• Potential Credential Dumping Attempt Via PowerShell (threat-hunting)
• LSASS Access From Program In Potentially Suspicious Folder (threat-hunting)
• Uncommon GrantedAccess Flags On LSASS (threat-hunting)
• Antivirus Password Dumper Detection (core)
• Transferring Files with Credential Data via Network Shares - Zeek (core)
• LSASS Process Crashed - Application (core)
• LSASS Access From Non System Account (core)
• Credential Dumping Tools Service Execution - Security (core)
• Potentially Suspicious AccessMask Requested From LSASS (core)
• Password Dumper Activity on LSASS (core)
• Transferring Files with Credential Data via Network Shares (core)
• Credential Dumping Tools Service Execution - System (core)
• Mimikatz Use (core)
• LSASS Access Detected via Attack Surface Reduction (core)
• Potential Credential Dumping Attempt Via PowerShell Remote Thread (core)
• Password Dumper Remote Thread in LSASS (core)
• Cred Dump Tools Dropped Files (core)
• HackTool - CrackMapExec File Indicators (core)
• HackTool - Dumpert Process Dumper Default File (core)
• HackTool - SafetyKatz Dump Indicator (core)
• HackTool - Impacket File Indicators (core)
• LSASS Process Memory Dump Files (core)

Showing 25 of 79 community rules — the full set is tagged attack.t1003.001 in SigmaHQ.

Signal counts reflect the current corpus snapshot: MISP citations are regex-extracted from CIRCL OSINT event text and galaxy tags; KEV mappings come from MITRE CTID; community coverage is the SigmaHQ rule inventory (core, emerging-threats, threat-hunting collections) at release r2026-04-01. Rule bodies are not mirrored — links go upstream.