LSASS credential dumping is consistently one of the most impactful post-exploitation techniques available. Understanding the technique landscape — and the detection surface each method exposes — is essential for both sides of the engagement.
The Classic: Task Manager / ProcDump
The simplest approach. Right-click LSASS in Task Manager, “Create dump file”. Or:
procdump.exe -accepteula -ma lsass.exe lsass.dmpDetection: Every legitimate security product flags this. ProcDump is a signed Microsoft binary (Sysinternals), but the pattern is trivially caught by EDR. Event ID 10 (process access) in Sysmon with lsass.exe as the target is the canonical detection.
Comsvcs.dll MiniDump
A living-off-the-land technique using a DLL already on the system:
$id = (Get-Process lsass).Idrundll32.exe C:\windows\system32\comsvcs.dll, MiniDump $id C:\Temp\lsass.dmp fullThis is a living-off-the-land technique in the most literal sense — rundll32.exe and comsvcs.dll are both legitimate, Microsoft-signed Windows components. No custom tooling required.
Detection: rundll32.exe spawning with comsvcs.dll and MiniDump arguments. High fidelity detection. Also caught by AMSI in modern environments.
Direct Syscalls
The more interesting category. EDR hooks NtReadVirtualMemory and related calls in user space. Direct syscalls bypass these hooks entirely by invoking the kernel directly.
The arms race between LSASS protection and dumping techniques has led some attackers to skip userspace entirely. BYOVD-based EDR killers load a vulnerable kernel driver to disable security tooling before LSASS is touched — eliminating the detection window that direct syscall techniques still expose.
Tools in this space: SysWhispers, Dumpert, NanoDump.
The detection shift here moves from user-space hooks to kernel callbacks (PsSetLoadImageNotifyRoutine, ObRegisterCallbacks) and ETW (Event Tracing for Windows).
Detection: ETW-based detection of syscall patterns, kernel callbacks on process handle acquisition, and behavioral analysis of what reads process memory with PROCESS_VM_READ access to LSASS.
Practical Detection Stack
Regardless of technique, LSASS dumping leaves traces across multiple telemetry sources:
| Source | Event | Signal |
|---|---|---|
| Sysmon ID 10 | Process access | GrantedAccess 0x1FFFFF on lsass.exe |
| Security 4656 | Handle request | PROCESS_VM_READ to lsass.exe |
| ETW | WinAPI trace | NtReadVirtualMemory on lsass PID |
| AV/EDR | Memory scan | Dump file signatures |
The most robust detection layers kernel-level telemetry with behavioral correlation — not just signature matching on tools.
Related Posts
- Pentest Cheat Sheet — SAM dump, Mimikatz and Windows post-exploitation command reference
- BYOVD Attacks — kernel-level EDR evasion that creates a blind spot for LSASS dumping operations
- LOLBins in 2026 — the comsvcs.dll technique is one of many living-off-the-land abuse patterns documented here
- Kerberoasting Deep Dive — credential access via service ticket cracking, often used alongside LSASS dumping
- ADCS Abuse with Certipy — certificate-based credential access that bypasses LSASS protection entirely
- AD Attack Chains: Initial Access to Domain Admin — full kill chain context for where LSASS dumping fits in post-exploitation
- Active Directory Attacks: The Complete Attack Path Guide — structured overview of every AD attack technique, from enumeration to cloud pivot