A non-privileged or abnormal process attempts to open a handle with full access (0x1F0FFF) to lsass.exe and subsequently invokes memory dump, file creation, or registry modification indicative of credential scraping. This behavior chain reflects staged credential theft activity.
| Data Component | Name | Channel |
|---|---|---|
| Process Access (DC0035) | WinEventLog:Sysmon | EventCode=10 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| User Account Metadata (DC0013) | WinEventLog:Security | EventCode=4673 |
| Windows Registry Key Modification (DC0063) | WinEventLog:Sysmon | EventCode=13 |
| Field | Description |
|---|---|
| AccessMask | Set to 0x1F0FFF to detect full memory access attempts; can be scoped down to reduce noise. |
| TimeWindow | Defines time between LSASS access and dump file creation or registry modification (e.g., 5 minutes). |
| ParentProcessName | Allowlist known legitimate tools (e.g., AV/EDR) accessing lsass.exe. |
| DumpFilePath | Paths where memory dumps are written, e.g., %TEMP%, C:\Windows\Temp. |
| CommandLinePattern | Common dumping syntax like rundll32, procdump, comsvcs.dll, Invoke-Mimikatz. |