LSASS Memory Dump Handle Access

This detection identifies handle requests targeting the Local Security Authority Subsystem Service (LSASS) on Windows systems. LSASS is responsible for enforcing security policy, including user authentication and access token creation. Attackers often target LSASS to extract credential material stored in its memory, enabling lateral movement. The rule focuses on detecting specific access masks (0x1fffff, 0x1010, 0x120089, 0x1F3FFF) associated with memory dumping tools. This detection is tool-agnostic, meaning it doesn’t rely on specific tool names like Mimikatz or Procdump, but rather on the low-level behavior of requesting access to LSASS memory. The rule aims to identify potential credential access attempts regardless of the specific tool used. The original detection rule was created on 2022/02/16 and updated on 2026/05/12.

Attack Chain

1. An attacker gains initial access to a Windows system.
2. The attacker escalates privileges to an administrative or SYSTEM level account.
3. The attacker uses a tool like Mimikatz, SharpDump, or a custom script to request a handle to the LSASS process.
4. The handle request specifies an access mask such as 0x1fffff, 0x1010, 0x120089, or 0x1F3FFF, indicating an intention to read process memory.
5. The tool uses the obtained handle to read memory from the LSASS process.
6. The attacker parses the dumped memory to extract credentials, such as usernames, passwords, and NTLM hashes.
7. The attacker uses the stolen credentials to move laterally to other systems on the network.
8. The attacker achieves their final objective, such as data exfiltration or system compromise.

Impact

Successful exploitation allows attackers to steal user credentials stored in LSASS memory. These credentials can be used to perform lateral movement, escalate privileges, and gain access to sensitive data. This can lead to a complete compromise of the affected systems and potentially the entire network, depending on the scope of the attacker’s access and objectives. The number of victims and sectors targeted are dependent on the attacker.

Recommendation

• Enable Audit Handle Manipulation to generate the required event logs for the detections: https://ela.st/audit-handle-manipulation.
• Deploy the “LSASS Memory Dump Handle Access” Sigma rule to your SIEM and tune for your environment (see below).
• Investigate processes accessing LSASS memory that are not explicitly excluded in the Sigma rule.
• Monitor for unexpected processes accessing LSASS and correlate with other suspicious activity.
• Review and harden LSASS protection configurations as outlined in vendor documentation.