Atomic Red Team: DumpLsass
Using Atomic Red Team to test LSASS credential dumping detections - validating your security controls against real attack techniques.
Originally published on Medium
Read the full article: Atomic Red Team DumpLsass
Why Test LSASS Detections?
LSASS credential dumping (T1003.001) is one of the most common post-exploitation techniques. If your detections don’t catch it, you’re blind to credential theft.
Atomic Red Team Tests
Atomic Red Team provides multiple tests for T1003.001:
Test 1: Mimikatz
Invoke-AtomicTest T1003.001 -TestNumbers 1Test 2: Windows Credential Editor
Invoke-AtomicTest T1003.001 -TestNumbers 2Test 3: Comsvcs.dll MiniDump
Invoke-AtomicTest T1003.001 -TestNumbers 3What to Detect
Process Access to LSASS
index=sysmon EventCode=10 TargetImage="*\\lsass.exe"
| stats count by SourceImage, GrantedAccessSuspicious GrantedAccess Values
Common values for credential dumping:
- 0x1010
- 0x1410
- 0x1438
- 0x1fffff
Known Tool Indicators
Look for:
- Mimikatz signatures
- Comsvcs.dll access
- ProcDump execution
Validation Workflow
- Run atomic test
- Verify detection fires
- Analyze false positive rate
- Tune as needed
- Document coverage
Read the full guide: Atomic Red Team DumpLsass
Related Modules
Atomics on a Friday
Weekly YouTube show exploring atomic tests, detection engineering, and security research. Live demonstrations and deep dives into attack techniques.
NEBULA
Interactive PowerShell framework for testing WMI, COM, LOLBAS, and persistence techniques. Built for red team testing and defense validation.