{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/memdump/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["credential-access","lsass","memdump","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies handle requests targeting the Local Security Authority Subsystem Service (LSASS) on Windows systems. LSASS is responsible for enforcing security policy, including user authentication and access token creation. Attackers often target LSASS to extract credential material stored in its memory, enabling lateral movement. The rule focuses on detecting specific access masks (0x1fffff, 0x1010, 0x120089, 0x1F3FFF) associated with memory dumping tools. This detection is tool-agnostic, meaning it doesn\u0026rsquo;t rely on specific tool names like Mimikatz or Procdump, but rather on the low-level behavior of requesting access to LSASS memory. The rule aims to identify potential credential access attempts regardless of the specific tool used. The original detection rule was created on 2022/02/16 and updated on 2026/05/12.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to an administrative or SYSTEM level account.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a tool like Mimikatz, SharpDump, or a custom script to request a handle to the LSASS process.\u003c/li\u003e\n\u003cli\u003eThe handle request specifies an access mask such as 0x1fffff, 0x1010, 0x120089, or 0x1F3FFF, indicating an intention to read process memory.\u003c/li\u003e\n\u003cli\u003eThe tool uses the obtained handle to read memory from the LSASS process.\u003c/li\u003e\n\u003cli\u003eThe attacker parses the dumped memory to extract credentials, such as usernames, passwords, and NTLM hashes.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials to move laterally to other systems on the network.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to steal user credentials stored in LSASS memory. These credentials can be used to perform lateral movement, escalate privileges, and gain access to sensitive data. This can lead to a complete compromise of the affected systems and potentially the entire network, depending on the scope of the attacker\u0026rsquo;s access and objectives. The number of victims and sectors targeted are dependent on the attacker.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Audit Handle Manipulation to generate the required event logs for the detections: \u003ca href=\"https://ela.st/audit-handle-manipulation\"\u003ehttps://ela.st/audit-handle-manipulation\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the \u0026ldquo;LSASS Memory Dump Handle Access\u0026rdquo; Sigma rule to your SIEM and tune for your environment (see below).\u003c/li\u003e\n\u003cli\u003eInvestigate processes accessing LSASS memory that are not explicitly excluded in the Sigma rule.\u003c/li\u003e\n\u003cli\u003eMonitor for unexpected processes accessing LSASS and correlate with other suspicious activity.\u003c/li\u003e\n\u003cli\u003eReview and harden LSASS protection configurations as outlined in vendor documentation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-15T19:38:12Z","date_published":"2026-05-15T19:38:12Z","id":"https://feed.craftedsignal.io/briefs/2026-05-lsass-memdump-handle-access/","summary":"Detection of handle requests to the LSASS process with specific access masks commonly used by tools to dump memory, indicating potential credential access attempts.","title":"LSASS Memory Dump Handle Access","url":"https://feed.craftedsignal.io/briefs/2026-05-lsass-memdump-handle-access/"}],"language":"en","title":"CraftedSignal Threat Feed — Memdump","version":"https://jsonfeed.org/version/1.1"}