{
	"id": "2fa8654e-a916-469b-b7b1-42db6fd9c3db",
	"created_at": "2026-04-06T00:19:52.185686Z",
	"updated_at": "2026-04-10T03:21:10.298122Z",
	"deleted_at": null,
	"sha1_hash": "177d9207c24428afd22e1c27844ff42b0e16024e",
	"title": "Detecting Attempts to Steal Passwords from Memory",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1775064,
	"plain_text": "Detecting Attempts to Steal Passwords from Memory\r\nBy David French\r\nPublished: 2020-09-28 · Archived: 2026-04-05 13:03:30 UTC\r\nPress enter or click to view image in full size\r\nAn adversary can harvest credentials from the Local Security Authority Subsystem Service (LSASS) process in\r\nmemory once they have administrative or SYSTEM privileges.\r\nCredential Dumping is MITRE ATT\u0026CK Technique T1003.\r\nThis post provides the steps to configure Sysmon to log processes accessing the lsass.exe process. Once this\r\nlogging is configured, you can monitor for suspicious processes accessing lsass.exe , which could be indicative\r\nof credential dumping activity.\r\nNote, if you decide to implement any of the monitoring and detection detailed in this post in a production\r\nenvironment, it’s likely that some tuning will be required to filter benign or expected behavior.\r\nInstall and Configure Sysmon\r\nDownload Sysmon: https://technet.microsoft.com/en-us/sysinternals/sysmon\r\nhttps://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea\r\nPage 1 of 4\n\nCreate a file named sysmon_config.xml and copy the configuration below into the file.\r\n\u003cSysmon schemaversion=”4.1\"\u003e\r\n\u003cHashAlgorithms\u003eSHA256\u003c/HashAlgorithms\u003e\r\n\u003cEventFiltering\u003e\r\n\u003cProcessAccess default=”include”\u003e\r\n\u003c/ProcessAccess \u003e\r\n\u003c/EventFiltering\u003e\r\n\u003c/Sysmon\u003e\r\nGet David French’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nInstall Sysmon using the configuration file you created:\r\nsysmon64.exe -i .\\sysmon_config.xml\r\nValidate that the configuration has been applied by dumping the current sysmon configuration:\r\nsysmon64.exe -c\r\nPress enter or click to view image in full size\r\nDump Passwords From Memory Using Mimikatz\r\nTo test the Sysmon Process Access logging, dump passwords from memory using Mimikatz.\r\nPS C:\\Users\\fmfx009\\Downloads\\mimikatz_trunk\\x64\u003e .\\mimikatz.exe\r\nprivilege::debug\r\nhttps://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea\r\nPage 2 of 4\n\nsekurlsa::logonpasswords\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nReview Sysmon Event Logs for Mimikatz Usage\r\nAccess the Sysmon logs via the Event Viewer under Microsoft-Windows-Sysmon/Operational or use the filtering\r\nfeatures of Event Log Explorer.\r\nhttps://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea\r\nPage 3 of 4\n\nApply a filter to view all events with Event ID 10 , Process accessed .\r\nYou should see evidence of SourceImage: lsass.exe accessing TargetImage: mimikatz.exe . You should also\r\nsee evidence of SourceImage: mimikatz.exe accessing TargetImage: lsass.exe .\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nSource: https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea\r\nhttps://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea"
	],
	"report_names": [
		"detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea"
	],
	"threat_actors": [],
	"ts_created_at": 1775434792,
	"ts_updated_at": 1775791270,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/177d9207c24428afd22e1c27844ff42b0e16024e.pdf",
		"text": "https://archive.orkl.eu/177d9207c24428afd22e1c27844ff42b0e16024e.txt",
		"img": "https://archive.orkl.eu/177d9207c24428afd22e1c27844ff42b0e16024e.jpg"
	}
}