Technique T1003
OS Credential Dumping
Detection & mitigation
Monitor for suspicious access to LSASS process memory, such as via suspicious process handles or unusual process injections, using Sysmon Event ID 10 (ProcessAccess) with target LSASS.exe. Mitigate by enabling Credential Guard, enforcing LSA protection, and restricting administrative privileges to limit credential dumping tools.