In-Memory credential theft attacks targeting Windows authentication systems have become a critical threat to enterprise security in recent years. Tools such as Mimikatz and its variants exploit the Local Security Authority Subsystem Service (LSASS) process to extract credentials directly from the system memory. This allows adversaries to escalate privileges, impersonate legitimate users and perform lateral movement within networks. Despite the introduction of security measures, attackers continue to develop stealthier and evasion techniques to carry out credential dumping attacks.

This evolving threat landscape necessitates a real-time, behaviour-aware detection framework capable of identifying suspicious credential dumping activities both during the early staging phase as well as during its execution. The research aims to design and evaluate such a detection framework by combining system event telemetry with behaviour-aware detection logic to improve visibility into the in-memory credential theft attempts. The implemented solution monitors critical system activities associated with credential dumping, correlates them with Indicators of Compromise (IoCs) derived from studying attacker behaviours and delivers real-time alerts with severity classification to prioritise critical threats.