LSASS Credential Dumping × Microsoft Defender for Endpoint

A publicly-reported instance of LSASS Credential Dumping bypassing Microsoft Defender for Endpoint, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Defender for Endpoint

Technique

LSASS Credential Dumping

MITRE ATT&CK

T1003.001

Confidence

High

Severity

High

Status

poc

Disclosed

2026-04-27

Config / version noted

Not stated

Provenance

www.persistent-security.net
disclosed 2026-04-27 · original source · via exa

Reported as

bypass for Microsoft Defender for Endpoint's detection of SAM hive credential dumping

Mechanism

Nemesis AI agent iteratively tested variants of SAM extraction. It bypassed Defender by: 1) creating a VSS shadow copy via WMI (Win32_ShadowCopy) instead of vssadmin.exe to avoid process-name detection; 2) reading the SAM file directly from the raw disk at the shadow copy's offset using CreateFile with \\.\PhysicalDrive0, seeking to the partition offset, and parsing the NTFS MFT to locate and extract the SAM file bytes, thus avoiding the file-system access pattern that triggers Defender's behavior monitoring.

Detection & mitigation

Monitor for raw disk access via CreateFile to \\.\PhysicalDrive0 from non-system processes, especially when combined with WMI shadow copy creation (Win32_ShadowCopy). Mitigate by restricting raw disk access to only authorized processes and enabling attack surface reduction rules to block WMI-based shadow copy creation.

LSASS Credential Dumping has also been recorded against

Google

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.