Detecting LSASS credential dumps in Windows event logs
After an attacker lands on a Windows machine, the first thing they do is dump credentials. The target is almost always the same: lsass.exe — the Local Security Authority Subsystem Service. LSASS holds NTLM hashes, Kerberos tickets, and sometimes plaintext passwords for every user who has logged into that machine. Dump it, and you have the keys to move laterally across the entire domain.
The problem: credential dumping takes seconds. If you aren't watching the right events, you'll never know it happened. Here are the five techniques attackers use to dump LSASS and the Windows events that catch each one.
Mimikatz (sekurlsa::logonpasswords)
Mimikatz is the most well-known credential dumping tool in existence. It reads LSASS memory directly to extract hashes and tickets. On a machine with Sysmon installed, you'll see Event ID 10 (ProcessAccess) where the TargetImage is C:\Windows\System32\lsass.exe and the GrantedAccess mask includes 0x1010 or 0x1FFFFF (PROCESS_ALL_ACCESS). Without Sysmon, look for Event ID 4656 (handle requested) and Event ID 4663 (object access) in the Security log targeting lsass.exe with READ_CONTROL or PROCESS_VM_READ access. Any non-system process opening a handle to LSASS with those permissions is suspicious.
comsvcs.dll MiniDump
Attackers who want to avoid dropping Mimikatz on disk use a built-in Windows DLL instead. The command rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump [lsass PID] out.dmp full creates a full memory dump of LSASS using a signed Microsoft binary. Look for Event ID 4688 (process creation) where the command line contains "comsvcs" and "MiniDump" together, or where rundll32.exe is spawned with comsvcs.dll as an argument. This is a living-off-the-land technique — the binary is trusted, but the usage is not.
ProcDump (Sysinternals)
ProcDump is a legitimate Sysinternals tool, which makes it another favorite for credential theft. The command procdump.exe -ma lsass.exe lsass.dmp writes LSASS memory to a file that can be exfiltrated and parsed offline with Mimikatz. Watch for Event ID 4688 where the new process name contains "procdump" and the command line references "lsass." Also look for Event ID 11 (FileCreate) in Sysmon for any .dmp file created in unusual locations like temp directories or user profiles.
Task Manager dump
The simplest method of all: an attacker with local admin rights opens Task Manager, right-clicks lsass.exe, and selects "Create dump file." Windows writes the dump to the user's AppData\Local\Temp folder. Look for Event ID 4688 where taskmgr.exe spawns a child process, combined with Event ID 4663 showing file writes to a path ending in lsass.DMP. This technique requires no tools at all — just a GUI session and admin privileges.
Registry SAM extraction
Instead of touching LSASS directly, attackers can dump the SAM, SYSTEM, and SECURITY registry hives to extract local account hashes offline. The commands reg save HKLM\SAM sam.bak and reg save HKLM\SYSTEM sys.bak show up clearly in Event ID 4688 process creation logs. Also watch for Event ID 4656 with ObjectName containing \REGISTRY\MACHINE\SAM or \REGISTRY\MACHINE\SECURITY with write or backup access. This technique bypasses LSASS entirely but only gets local hashes — not cached domain credentials.
The common thread: every one of these techniques either opens a handle to lsass.exe with unusual access rights, creates a suspicious process with LSASS-related command-line arguments, or writes a .dmp file to disk. If you're auditing process creation (Event ID 4688 with command-line logging enabled) and object access (4656/4663), you have the raw data to catch all of them.
The challenge is that these events happen in milliseconds and get buried in thousands of other log entries. Arden flags credential dumping activity automatically — it watches for LSASS access patterns, suspicious process ancestry, and known tool signatures across all your monitored hosts in real time.
For more on what attackers do after dumping credentials, see our guide to spotting lateral movement without a SOC. And for the fundamentals, start with the 5 Windows Event IDs every system administrator should monitor.
Catch credential theft before it becomes a breach.
Arden detects Mimikatz, LSASS dumps, pass-the-hash, and Kerberoasting across your Windows environment — no SIEM required.
Join Early Access