DET0363: Detection of Credential Dumping from LSASS Memory via Access and Dump Sequence
DET0363 is a MITRE ATT&CK detection strategy for identifying credential dumping from LSASS memory through an access-and-dump sequence. Its practical import...
Analyst context for executives and security teams
DET0363 is a MITRE ATT&CK detection strategy for identifying credential dumping from LSASS memory through an access-and-dump sequence. Its practical importance is that LSASS memory can contain credential material after user logon, and the related ATT&CK technique is tied to Credential Access on Windows. For leaders, this is a high-value validation area because failure to see suspicious LSASS access can weaken incident containment, identity assurance, and lateral-movement response decisions.
Executive priority
Prioritize this as an identity and incident-response readiness question: can the organization prove it collects and reviews the evidence needed to identify suspicious access to LSASS memory and subsequent dump activity on Windows systems? This supports control prioritization around privileged access, endpoint monitoring, SOC triage, and audit evidence for credential-protection controls. Because the detection strategy object has no official detection text or platform field of its own, leadership should ask for local validation rather than assume coverage from the ATT&CK mapping alone.
Technical view
The supplied relationship says DET0363 detects T1003.001, LSASS Memory, under the Credential Access tactic, with Windows as the related technique platform. SOC and detection engineering teams should validate whether endpoint telemetry can show a sequence involving access to LSASS and creation or handling of memory dump artifacts. IR teams should ensure playbooks treat suspicious LSASS access as potential credential exposure and evaluate follow-on risk to lateral movement using alternate authentication material, as described in the related technique context.
Likely telemetry
- Endpoint process telemetry showing process access involving LSASS
- Windows host security or EDR events associated with privileged process access
- Evidence of dump file creation, memory dump handling, or related file activity
- Command-line and parent/child process context for processes interacting with LSASS
- User, privilege, and host context for administrative or SYSTEM-level activity
Detection direction
- Validate sequence-based logic rather than isolated single events: suspicious LSASS access followed by dump-related activity should receive higher priority.
- Tune against legitimate administrative, security, or diagnostic tooling that may access LSASS or create dumps in approved contexts.
- Confirm telemetry includes process access details, command-line context, file creation context, and user privilege context; without these, the strategy may be difficult to operationalize.
- Use the relationship to T1003.001 to align alerts with Credential Access triage and possible lateral-movement risk, while avoiding claims of compromise from LSASS access alone.
Mitigation priorities
- Reduce unnecessary administrative and SYSTEM-level access on Windows systems where credential material could be exposed.
- Harden credential-protection and endpoint-monitoring controls around LSASS access, then test whether monitoring evidence is actually generated and retained.
- Ensure SOC and IR procedures define escalation, containment, and credential-reset decision points for suspected LSASS memory access.
- Maintain evidence suitable for compliance and readiness reviews: monitored hosts, collected event classes, alert logic, exclusions, and test results.
Analyst notes and limits
This take is based on the detection strategy metadata and its relationship to ATT&CK technique T1003.001, LSASS Memory. The object itself does not include an official description, official detection text, tactics, or platforms; Windows and Credential Access come from the related technique context.
No active exploitation, attribution, prevalence, effectiveness, or guaranteed detection coverage is stated in the supplied data. Local endpoint tooling, event configuration, retention, and approved administrative activity must be reviewed before judging coverage or risk.
Detection of Credential Dumping from LSASS Memory via Access and Dump Sequence
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1003.001 | LSASS Memory Sub-technique | This object detects LSASS Memory. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 662398831bf6… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0363Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.