MITRE ATT&CK detection coverage

← Back to main site

Home/ MITRE Matrix/ Credential Access/ T1003.001

T1003.001LSASS Memory

T1003.001 — LSASS Memory is a MITRE ATT&CK technique in the Credential Access tactic. Clankerusecase tracks 17 detection use cases covering it and 102 threat-intel articles citing it.

Credential Access

View on the matrix → Filter Detection Library MITRE official spec ↗

17Use cases

102Articles

0Sub-techniques

1Tactic

↑ Parent technique: T1003 · OS Credential Dumping

Use cases covering this technique (17)

LSASS process access / dump (credential theft) Internal actions · alerting DSΣP Access LSASS Memory for Dump Creation ESCU actions · alerting P Create Remote Thread into LSASS ESCU actions · alerting P Creation of lsass Dump with Taskmgr ESCU actions · alerting P Detect Credential Dumping through LSASS access ESCU actions · alerting P Dump LSASS via comsvcs DLL ESCU actions · alerting P Dump LSASS via procdump ESCU actions · alerting P Windows Credential Dumping LSASS Memory Createdump ESCU actions · alerting P Windows Hunting System Account Targeting Lsass ESCU actions · hunting P Windows Non-System Account Targeting Lsass ESCU actions · alerting P Windows Possible Credential Dumping ESCU actions · alerting P Cisco Secure Firewall - Veeam CVE-2023-27532 Exploitation Activity ESCU actions · alerting P Detect Mimikatz Using Loaded Images ESCU actions · alerting P Detect Mimikatz Via PowerShell And EventCode 4703 ESCU actions · alerting P Dump LSASS via procdump Rename ESCU actions · hunting P Unsigned Image Loaded by LSASS ESCU actions · alerting P [LLM] MuddyWater CE-Notes / LP-Notes / Blub stealer staging-file writes Bespoke actions · alerting DSΣPDDCS

Articles citing this technique (102)

crit Chinese hackers hijack auth flow, spy on isolated network for a decade art-07

high Ukrainian national pleads guilty to role in Conti ransomware operation art-24

high CISA orders feds to patch actively exploited Ivanti flaw by Sunday art-34

high Europol Disrupts AudiA6 Crypto Laundering Service Used by Ransomware Gangs art-36

high A tale of two eras art-40

crit The Gentlemen Ransomware Claims 478 Victims, Can Spread Like a Worm art-44

crit Cybersecurity Stars Awards 2026: Winners Announced Across 95 Categories art-48

crit Meta Blocks NSO Group's New WhatsApp Phishing Attack, Files Contempt Order art-101

crit UNC3753 Used Vishing and Physical Intrusions in U.S. Data Theft Extortion Campaign art-108

crit CISA KEV: CVE-2026-50751 — Check Point Security Gateway Improper Authentication Vulnerability art-111

crit Preinstall to persistence: Inside the Red Hat npm Miasma credential-stealing campaign art-139

crit Malicious npm packages abuse dependency confusion to profile developer environments art-161

crit Microsoft is named a Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection art-178

high Typosquatted npm packages used to steal cloud and CI/CD secrets art-183

crit 2026 World Cup: Discussing The World’s Biggest Game’s Attack Surface art-187

crit ESET APT Activity Report Q4 2025–Q1 2026 art-189

crit Out of the Crypt: The Evolving Cyber Extortion Economy art-193

crit CISA KEV: CVE-2026-48027 — Nx Console Embedded Malicious Code Vulnerability art-203

crit CISA KEV: CVE-2026-45321 — TanStack Unspecified Vulnerability art-204

crit IT threat evolution in Q1 2026. Mobile statistics art-278

high The time of much patching is coming art-296

crit Kimsuky targets organizations with PebbleDash-based tools art-308

crit Inside AD CS Escalation: Unpacking Advanced Misuse Techniques and Tools art-316

crit TanStack Npm Packages Compromised Inside The Mini Shai Hulud Supply Chain Attack art-318

crit PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale art-322

crit Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution art-325

crit Shai-Hulud Worm Pivots to Multi-Cloud: intercom-client@7.0.4 Hijacked — 361,000 Weekly Downloads, AWS, GCP, and Azure Credentials Now in Sco art-333

crit CISA KEV: CVE-2026-41940 — WebPros cPanel & WHM and WP2 (WordPress Squared) Missing Authentication for Critical Function Vulnerability art-344

crit CISA KEV: CVE-2024-1708 — ConnectWise ScreenConnect Path Traversal Vulnerability art-350

crit CISA KEV: CVE-2024-57728 — SimpleHelp Path Traversal Vulnerability art-358

crit CISA KEV: CVE-2024-57726 — SimpleHelp Missing Authorization Vulnerability art-359

crit What the ransom note won’t say art-370

crit CISA KEV: CVE-2023-27351 — PaperCut NG/MF Improper Authentication Vulnerability art-374

crit CISA KEV: CVE-2024-27199 — JetBrains TeamCity Relative Path Traversal Vulnerability art-378

crit CISA KEV: CVE-2023-21529 — Microsoft Exchange Server Deserialization of Untrusted Data Vulnerability art-390

high As breakout time accelerates, prevention-first cybersecurity takes center stage art-408

crit How a Poisoned Security Scanner Became the Key to Backdooring LiteLLM art-443

crit EDR killers explained: Beyond the drivers art-455

crit CISA KEV: CVE-2026-20131 — Cisco Secure Firewall Management Center (FMC) Software and Cisco Security Cloud Control (SCC) Firewall Management art-457

crit Cyber fallout from the Iran war: What to have on your radar art-474

crit How SMBs use threat research and MDR to build a defensive edge art-486

crit Protecting education: How MDR can tip the balance in favor of schools art-491

high PromptSpy ushers in the era of Android threats using GenAI art-519

crit CISA KEV: CVE-2024-7694 — TeamT5 ThreatSonar Anti-Ransomware Unrestricted Upload of File with Dangerous Type Vulnerability art-531

crit CISA KEV: CVE-2026-1731 — BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) OS Command Injection Vulnerability art-543

crit Naming and shaming: How ransomware groups tighten the screws on victims art-544

crit CISA KEV: CVE-2026-24423 — SmarterTools SmarterMail Missing Authentication for Critical Function Vulnerability art-576

crit DynoWiper update: Technical analysis and attribution art-590

crit CISA KEV: CVE-2025-52691 — SmarterTools SmarterMail Unrestricted Upload of File with Dangerous Type Vulnerability art-599

crit CISA KEV: CVE-2026-23760 — SmarterTools SmarterMail Authentication Bypass Using an Alternate Path or Channel Vulnerability art-600

crit Malicious PyPI Packages spellcheckpy and spellcheckerpy Deliver Python RAT art-608

crit ESET Threat Report H2 2025 art-647

high Sha1-Hulud: The Second Coming - Zapier, ENS Domains, and Other Prominent NPM Packages Compromised art-653

high Black Hat Europe 2025: Reputation matters – even in the ransomware economy art-660

crit CISA KEV: CVE-2025-55182 — Meta React Server Components Remote Code Execution Vulnerability art-670

med MuddyWater: Snakes by the riverbank art-676

high In memoriam: David Harley art-713

high Ground zero: 5 things to do after discovering a cyberattack art-722

high How MDR can give MSPs the edge in a competitive market art-730

crit CISA KEV: CVE-2025-61884 — Oracle E-Business Suite Server-Side Request Forgery (SSRF) Vulnerability art-743

crit CISA KEV: CVE-2025-61882 — Oracle E-Business Suite Unspecified Vulnerability art-764

crit CISA KEV: CVE-2025-10035 — Fortra GoAnywhere MFT Deserialization of Untrusted Data Vulnerability art-773

crit CISA KEV: CVE-2025-49704 — Microsoft SharePoint Code Injection Vulnerability art-841

crit CISA KEV: CVE-2025-53770 — Microsoft SharePoint Deserialization of Untrusted Data Vulnerability art-844

crit CISA KEV: CVE-2025-5777 — Citrix NetScaler ADC and Gateway Out-of-Bounds Read Vulnerability art-848

crit CISA KEV: CVE-2019-6693 — Fortinet FortiOS Use of Hard-Coded Credentials Vulnerability art-860

high Finding Software Flaws Early in the Development Process Provides Clear ROI art-871

crit CISA KEV: CVE-2025-31324 — SAP NetWeaver Unrestricted File Upload Vulnerability art-923

crit CISA KEV: CVE-2025-29824 — Microsoft Windows Common Log File System (CLFS) Driver Use-After-Free Vulnerability art-936

crit CISA KEV: CVE-2025-31161 — CrushFTP Authentication Bypass Vulnerability art-938

crit CISA KEV: CVE-2025-22457 — Ivanti Connect Secure, Policy Secure, and ZTA Gateways Stack-Based Buffer Overflow Vulnerability art-939

crit CISA KEV: CVE-2025-24472 — Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability art-956

crit CISA KEV: CVE-2025-26633 — Microsoft Windows Management Console (MMC) Improper Neutralization Vulnerability art-970

crit CISA KEV: CVE-2025-22225 — VMware ESXi Arbitrary Write Vulnerability art-978

crit CISA KEV: CVE-2018-8639 — Microsoft Windows Win32k Improper Resource Shutdown or Release Vulnerability art-982

crit CISA KEV: CVE-2024-53704 — SonicWall SonicOS SSLVPN Improper Authentication Vulnerability art-998

crit CISA KEV: CVE-2024-57727 — SimpleHelp Path Traversal Vulnerability art-999

crit CISA KEV: CVE-2025-23006 — SonicWall SMA1000 Appliances Deserialization Vulnerability art-1021

crit CISA KEV: CVE-2024-55591 — Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability art-1032

crit CISA KEV: CVE-2023-48365 — Qlik Sense HTTP Tunneling Vulnerability art-1033

crit CISA KEV: CVE-2025-0282 — Ivanti Connect Secure, Policy Secure, and ZTA Gateways Stack-Based Buffer Overflow Vulnerability art-1037

crit CISA KEV: CVE-2024-55550 — Mitel MiCollab Path Traversal Vulnerability art-1039

crit CISA KEV: CVE-2024-55956 — Cleo Multiple Products Unauthenticated File Upload Vulnerability art-1051

crit CISA KEV: CVE-2024-50623 — Cleo Multiple Products Unrestricted File Upload Vulnerability art-1054

crit CISA KEV: CVE-2024-51378 — CyberPanel Incorrect Default Permissions Vulnerability art-1060

crit CISA KEV: CVE-2024-11667 — Zyxel Multiple Firewalls Path Traversal Vulnerability art-1063

crit CISA KEV: CVE-2023-28461 — Array Networks AG and vxAG ArrayOS Missing Authentication for Critical Function Vulnerability art-1069

crit CISA KEV: CVE-2024-9474 — Palo Alto Networks PAN-OS Management Interface OS Command Injection Vulnerability art-1078

crit CISA KEV: CVE-2024-49039 — Microsoft Windows Task Scheduler Privilege Escalation Vulnerability art-1089

crit CISA KEV: CVE-2024-51567 — CyberPanel Incorrect Default Permissions Vulnerability art-1091

crit CISA KEV: CVE-2024-38094 — Microsoft SharePoint Deserialization Vulnerability art-1106

crit CISA KEV: CVE-2024-40711 — Veeam Backup and Replication Deserialization Vulnerability art-1111

crit CISA KEV: CVE-2024-9680 — Mozilla Firefox Use-After-Free Vulnerability art-1114

crit CISA KEV: CVE-2024-30088 — Microsoft Windows Kernel TOCTOU Race Condition Vulnerability art-1115

crit CISA KEV: CVE-2024-6670 — Progress WhatsUp Gold SQL Injection Vulnerability art-1151

crit CISA KEV: CVE-2024-40766 — SonicWall SonicOS Improper Access Control Vulnerability art-1157

crit CISA KEV: CVE-2017-1000253 — Linux Kernel PIE Stack Buffer Corruption Vulnerability art-1158

crit CISA KEV: CVE-2024-23897 — Jenkins Command Line Interface (CLI) Path Traversal Vulnerability art-1177

crit CISA KEV: CVE-2024-37085 — VMware ESXi Authentication Bypass Vulnerability art-1197

crit CISA KEV: CVE-2024-26169 — Microsoft Windows Error Reporting Service Improper Privilege Management Vulnerability art-1230

crit CISA KEV: CVE-2024-4577 — PHP-CGI OS Command Injection Vulnerability art-1234

crit Snyk Learn and the NIST Cybersecurity Framework (CSF) art-1274