LSASS Credential Dumping × Microsoft Defender for Endpoint

A publicly-reported instance of LSASS Credential Dumping bypassing Microsoft Defender for Endpoint, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Defender for Endpoint

Technique

LSASS Credential Dumping

MITRE ATT&CK

T1003.001

Confidence

High

Severity

High

Status

poc

Disclosed

2026-05-13

Config / version noted

Not stated

Provenance

theregister.com
disclosed 2026-05-13 · original source · via brave

Reported as

bypassing Microsoft Defender for Endpoint detection

Mechanism

The credential dumping technique exploits a method to extract credentials from LSASS without triggering Microsoft Defender for Endpoint's detection mechanisms, effectively bypassing endpoint security monitoring.

Detection & mitigation

Monitor for suspicious access to LSASS process memory, such as via suspicious process handles or unusual process injections, using Sysmon Event ID 10 (ProcessAccess) with target LSASS.exe. Mitigate by enabling Credential Guard, enforcing LSA protection, and restricting administrative privileges to limit credential dumping tools.

LSASS Credential Dumping has also been recorded against

Google

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.