Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1030: Analytic 1030

A non-privileged or abnormal process attempts to open a handle with full access (0x1F0FFF) to lsass.exe and subsequently invokes memory dump, file creation, or registry modification indicative of credential scraping. This behavior chain reflects staged credential theft activity.

EnterpriseAN1030AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because it focuses on a high-value credential theft pattern on Windows: an unusual or non-privileged process obtaining full access to lsass.exe and then taking actions consistent with dumping or preserving credential material. For leaders, the practical value is not just “detect LSASS access,” but validating whether the organization can see the full behavior chain quickly enough to support containment, identity protection, and incident response decisions.

Executive priority

Prioritize this as an identity and incident-response readiness check for Windows environments. If a SOC cannot reliably correlate abnormal LSASS handle access with follow-on dump, file creation, or registry activity, responders may miss early evidence of credential scraping and lose time deciding whether to rotate credentials, isolate hosts, or investigate lateral movement risk. This is also useful audit evidence for demonstrating monitoring around privileged credential exposure, but local telemetry quality will determine defensibility.

Technical view

Validate Windows telemetry that can show a process opening a full-access handle to lsass.exe with access mask 0x1F0FFF, especially when the requesting process is non-privileged or abnormal for the host. Detection engineering should correlate that event with subsequent memory dump behavior, suspicious file creation, or registry modification. Because no ATT&CK detection logic is supplied, teams should treat this object as a behavioral detection requirement rather than a ready-to-run rule.

Likely telemetry

  • Windows process and parent-process execution telemetry
  • Process access events showing handle opens to lsass.exe and requested access rights
  • File creation telemetry for dump-like or unusual output files following LSASS access
  • Registry modification telemetry occurring after the suspicious process access
  • Host context for process reputation, expected administrative tools, user privilege level, and baseline behavior

Detection direction

  • Confirm that endpoint telemetry captures process access to lsass.exe with access mask detail, including 0x1F0FFF.
  • Tune for abnormal source processes rather than alerting on every LSASS interaction, since legitimate security, management, or diagnostic software may access LSASS.
  • Correlate LSASS full-access handle events with follow-on dump, file creation, or registry modification to reduce noise and preserve the staged-behavior context described by MITRE.
  • Review blind spots on Windows hosts without endpoint visibility, with incomplete process access logging, or where telemetry does not include access masks.
  • Use local baselines to define what is non-privileged or abnormal in the environment; ATT&CK does not provide a universal allowlist or threshold.

Mitigation priorities

  • Ensure Windows endpoint monitoring can collect process access, file creation, registry modification, and process lineage needed for this behavior chain.
  • Restrict and review tools and accounts that legitimately require access to LSASS, minimizing unnecessary administrative exposure.
  • Prepare IR playbooks that treat confirmed suspicious LSASS access plus dump-related activity as a credential-protection event requiring host containment and identity follow-up.
  • Maintain asset and endpoint coverage inventories so SOC leaders know where this analytic can and cannot operate.
  • Use the detection as a validation point for identity security, SOC monitoring, and compliance evidence around credential protection.
Analyst notes and limits

The supplied object is a detection analytic, AN1030, for Windows in ATT&CK enterprise. It describes a behavior chain involving full-access handle opening to lsass.exe followed by memory dump, file creation, or registry modification indicative of credential scraping. No tactics, relationships, or official detection implementation were supplied, so the take emphasizes validation requirements and operational use rather than a specific rule.

This summary is limited to the supplied ATT&CK fields and external reference. It does not establish active exploitation, attribution, business impact, or guaranteed detection. Local endpoint logging, EDR configuration, process baselines, and authorized administrative tooling must be reviewed before determining coverage or alert severity.

Official MITRE ATT&CK definition

Analytic 1030

A non-privileged or abnormal process attempts to open a handle with full access (0x1F0FFF) to lsass.exe and subsequently invokes memory dump, file creation, or registry modification indicative of credential scraping. This behavior chain reflects staged credential theft activity.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
a7c6a887c6455dec...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle a7c6a887c645…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1030
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use