Detecting Credential Harvesting via LSASS Minidump Analysis

In the modern enterprise, the Local Security Authority Subsystem Service (LSASS) is the "Crown Jewels" of the Windows operating system. As the central authority for managing user authentication, security policies, and access tokens, LSASS holds the keys to the kingdom: NTLM hashes, Kerberos tickets (TGTs and TGSs), and, in poorly configured environments, even plaintext credentials.

For an adversary, gaining access to LSASS is the ultimate objective of a lateral movement phase. However, the era of "noisy" credential dumping-where tools like Mimikatz directly interact with LSASS memory via `ReadProcessMemory`-is largely over in well-defended environments. Modern EDR (Endpoint Detection and Response) solutions are highly tuned to detect these direct memory access patterns.

To circumvent this, sophisticated actors have pivoted to a much stealthier technique: Minidump-based credential harvesting. Instead of interacting with LSASS directly, they trigger a legitimate Windows mechanism to create a memory snapshot (a minidNP) of the process. This snapshot is then exfiltrated and analyzed offline. This post explores the mechanics of this technique and provides a blueprint for detection.

The Mechanics: From Memory Injection to Minidump

The core problem for an attacker is that calling `OpenProcess` on `lsass.exe` with `PROCESS_VM_READ` permissions is a massive red flag for security telemetry. To bypass this, attackers leverage "Living-off-the-Land" (LotL) binaries that possess the inherent permission to interact with system processes.

The `comsvcs.dll` Technique

One of the most prevalent methods involves using `rundll32.exe` to call the `MiniDump` function within `comsvcs.dll`. This is a legitimate, Microsoft-signed DLL used for COM+ services. The command typically looks like this:

```cmd

rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump <LSASS_PID> C:\Users\Public\lsass.dmp full

```

By using a legitimate system DLL, the attacker avoids dropping a custom malicious binary on the disk. The heavy lifting of reading the memory and writing the file is performed by a trusted Windows component, making signature-based detection ineffective.

The `procdump` Approach

Similarly, attackers often use Sysinternals `procdump.exe`. While `procdump` is a legitimate administrative tool, its use to target LSASS is almost always indicative of malicious activity. Because `procdump` is a signed, well-known utility, it often bypasses basic "untrusted executable" alerts.

Detection Vectors

Detecting minidump creation requires a multi-layered approach, focusing on the process, the handle, and the resulting file artifact.

1. Process and Command Line Analysis

The first line of defense is monitoring command-line arguments for suspicious patterns. We are not just looking for `lsass.exe`, but for the intent of the command.

What to look for:

• `rundll32.exe` + `comsvcs.dll` + `MiniDump`: This is a high-fidelity indicator. There is almost no legitimate administrative reason for `comsvcs.dll` to perform a minidump of LSASS.
• `procdump.exe` targeting LSASS: Monitor for any instance of `procdump` where the target process is `lsass.exe`.
• Unexpected Parent Processes: If `rundll32.exe` or `procdump.exe` is spawned by `cmd.exe`, `powershell.exe`, or a web server process (like `w3wp.exe`), the risk score should escalate significantly.

2. Handle Tracing (Sysmon Event ID 10)

If an attacker uses a custom tool that doesn't rely on `comsvcs.dll`, they still must obtain a handle to the LSASS process with specific access rights. Using Sysmon, you can monitor `ProcessAccess` events.

Detection Logic:

Filter for `TargetImage` containing `lsass.exe` where the `GrantedAccess` mask includes:

• `0x1410` (PROCESS_QUERY_INFORMATION | PROCESS_VM_READ)
• `0x10` (PROCESS_VM_READ)

While some legitimate processes (like AV or backup agents) may request these permissions, a sudden spike in `ProcessAccess` requests to LSASS from an unknown or non-system process is a critical alert.

3. File System Artifacts (Sysmon Event ID 11)

The creation of a `.dmp` or `.log` file in highly writable, non-standard directories is a significant indicator of compromise (IoC).

Target Directories:

• `C:\Windows\Temp\`
• `C:\Users\Public\`
• `C:\ProgramData\`

An alert should trigger when a file with a `.dmp` extension is created by a process other than a known-good system utility, especially if the file size is large (LSASS dumps are often hundreds of megabytes).

Practical Implementation: A Sysmon Configuration

To implement this detection, you can use the following Sysmon configuration snippet to target the `comsvcs.dll` technique specifically.

```xml

<Sysmon schemaversion="4.30">

<EventFiltering>

<ProcessAccess onmatch="include">

<TargetProcess name="lsass.exe">

<Rule group="GrantedAccess" value="0x1410" />

</TargetProcess>

</ProcessAccess>

<ProcessCreate onmatch="

```

Conclusion

As shown across "The Mechanics: From Memory Injection to Minidump", "Detection Vectors", "Practical Implementation: A Sysmon Configuration", a secure implementation for detecting credential harvesting via lsass minidump analysis depends on execution discipline as much as design.

The practical hardening path is to enforce strict token/claim validation and replay resistance, deterministic identity policy evaluation with deny-by-default semantics, and host hardening baselines with tamper-resistant telemetry. This combination reduces both exploitability and attacker dwell time by forcing failures across multiple independent control layers.

Operational confidence should be measured, not assumed: track false-allow rate and time-to-revoke privileged access and time from suspicious execution chain to host containment, then use those results to tune preventive policy, detection fidelity, and response runbooks on a fixed review cadence.