Potential LSASS Memory Dump via PssCaptureSnapShotedit

Identifies suspicious access to an LSASS handle via PssCaptureSnapShot where two successive process accesses are performed by the same process and target two different instances of LSASS. This may indicate an attempt to evade detection and dump LSASS memory for credential access.

Rule type: threshold

Rule indices:

  • winlogbeat-*
  • logs-windows.*

Severity: high

Risk score: 73

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100



  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Credential Access

Version: 3 (version history)

Added (Elastic Stack release): 8.0.0

Last modified (Elastic Stack release): 8.2.0

Rule authors: Elastic

Rule license: Elastic License v2

Investigation guideedit

## Config

This is meant to run only on datasources using Elastic Agent 7.14+ since versions prior to that will be missing the threshold
rule cardinality feature.

Rule queryedit

event.category:process and event.code:10 and
winlog.event_data.TargetImage:("C:\\Windows\\system32\\lsass.exe" or
"c:\\Windows\\system32\\lsass.exe" or

Threat mappingedit


Rule version historyedit

Version 3 (8.2.0 release)
  • Formatting only
Version 2 (8.1.0 release)
  • Formatting only