Credential Dumping: LSASS Memory

After a user logs on, attackers can attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). This indicator of attack requires the Sysmon extension for these audits.

Event IDs Audit Policies Value
4624

├ Category: Logon/Logoff

└─ Sub-category: Logon

Success

4634

├ Category: Logon/Logoff

└─ Sub-category: Logoff

Success

1

Sysmon - Process creation

Sysmon - N/A

5 Sysmon - Process terminated Sysmon - N/A
8

Sysmon - CreateRemoteThread

Sysmon - N/A

10 Sysmon - ProcessAccess Sysmon - N/A
  Requires Sysmon extension

For information on how to install and configure Sysmon, see Install Microsoft Sysmon.

Yes

See also