5 min read

You Bet Your Lsass: Hunting LSASS Access

Comprehensive guide to detecting LSASS credential dumping - analyzing Mimikatz, Cobalt Strike, and other tools with updated Splunk detections.

lsass mimikatz credential-dumping detection splunk

Originally published on the Splunk Security Blog
Read the full article: You Bet Your Lsass

The LSASS Target

LSASS (Local Security Authority Subsystem Service) is the primary target for credential theft. Mimikatz, Cobalt Strike, and countless other tools all target LSASS memory.

Understanding GrantedAccess

When a process accesses LSASS, Windows logs the requested permissions:

ValueMeaning
0x1010PROCESS_VM_READ + PROCESS_QUERY_LIMITED_INFORMATION
0x1410PROCESS_VM_READ + PROCESS_QUERY_INFORMATION
0x1fffffPROCESS_ALL_ACCESS

Updated Detection

Our enhanced Sysmon query:

`sysmon` EventCode=10 TargetImage=*lsass.exe 
  GrantedAccess IN ("0x01000", "0x1010", "0x1038", "0x40", "0x1400", "0x1fffff", "0x1410", "0x143a", "0x1438", "0x1000") 
  CallTrace IN ("*dbgcore.dll*", "*dbghelp.dll*", "*ntdll.dll*")
| stats count min(_time) as firstTime max(_time) as lastTime 
  by Computer, TargetImage, GrantedAccess, SourceImage, SourceProcessId, SourceUser, TargetUser

Key Observations

User Context Matters

  • Normal: NT AUTHORITY\SYSTEM accessing LSASS
  • Suspicious: DOMAIN\user accessing LSASS

Tool Variations

Different tools use different access patterns. Test with multiple:

  • Mimikatz
  • Invoke-Mimikatz
  • Cobalt Strike
  • ProcDump

New Analytics

  1. Windows Hunting System Account Targeting Lsass - All LSASS access
  2. Windows Non-System Account Targeting Lsass - User accounts accessing LSASS
  3. Windows Possible Credential Dumping - Enhanced GrantedAccess detection

Read the full analysis: You Bet Your Lsass

Related Modules

Active

Atomics on a Friday

Weekly YouTube show exploring atomic tests, detection engineering, and security research. Live demonstrations and deep dives into attack techniques.

youtube atomic-red-team detection education +1
View Module → GitHub
Active

Bootloaders.io

A curated list of known malicious bootloaders for various operating systems. Track and catalog bootloader threats with detection rules and hash prevention.

bootloader bootkit detection defense +1
View Module → GitHub