LSASS Dumping: Techniques, Evasion, and Detection

LSASS credential dumping is consistently one of the most impactful post-exploitation techniques available. Understanding the technique landscape — and the detection surface each method exposes — is essential for both sides of the engagement.

The Classic: Task Manager / ProcDump

The simplest approach. Right-click LSASS in Task Manager, “Create dump file”. Or:

procdump.exe -accepteula -ma lsass.exe lsass.dmp

Detection: Every legitimate security product flags this. ProcDump is a signed Microsoft binary (Sysinternals), but the pattern is trivially caught by EDR. Event ID 10 (process access) in Sysmon with lsass.exe as the target is the canonical detection.

Comsvcs.dll MiniDump

A living-off-the-land technique using a DLL already on the system:

$id = (Get-Process lsass).Id
rundll32.exe C:\windows\system32\comsvcs.dll, MiniDump $id C:\Temp\lsass.dmp full

Detection: rundll32.exe spawning with comsvcs.dll and MiniDump arguments. High fidelity detection. Also caught by AMSI in modern environments.

Direct Syscalls

The more interesting category. EDR hooks NtReadVirtualMemory and related calls in user space. Direct syscalls bypass these hooks entirely by invoking the kernel directly.

Tools in this space: SysWhispers, Dumpert, NanoDump.

The detection shift here moves from user-space hooks to kernel callbacks (PsSetLoadImageNotifyRoutine, ObRegisterCallbacks) and ETW (Event Tracing for Windows).

Detection: ETW-based detection of syscall patterns, kernel callbacks on process handle acquisition, and behavioral analysis of what reads process memory with PROCESS_VM_READ access to LSASS.

Practical Detection Stack

Regardless of technique, LSASS dumping leaves traces across multiple telemetry sources:

The most robust detection layers kernel-level telemetry with behavioral correlation — not just signature matching on tools.