T1003.001: LSASS Memory
| View on MITRE ATT&CK | T1003.001 |
|---|---|
| Tactic(s) | Credential Access |
Data from MITRE ATT&CK®:
Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct Lateral Movement using Use Alternate Authentication Material.
As well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.
For example, on the target host use procdump:
procdump -ma lsass.exe lsass_dump
Locally, mimikatz can be run using:
sekurlsa::Minidump lsassdump.dmpsekurlsa::logonPasswords
Built-in Windows tools such as comsvcs.dll can also be used:
rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump PID lsass.dmp full(Citation: Volexity Exchange Marauder March 2021)(Citation: Symantec Attacks Against Government Sector)
Windows Security Support Provider (SSP) DLLs are loaded into LSASS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages and HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014)
The following SSPs can be used to access credentials:
- Msv: Interactive logons, batch logons, and service logons are done through the MSV authentication package.
- Wdigest: The Digest Authentication protocol is designed for use with Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges.(Citation: TechNet Blogs Credential Protection)
- Kerberos: Preferred for mutual client-server domain authentication in Windows 2000 and later.
- CredSSP: Provides SSO and Network Level Authentication for Remote Desktop Services.(Citation: TechNet Blogs Credential Protection)
© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
Cyber Threat Graph Context
Explore how this ATT&CK Technique relates to the wider threat graph
Reporting on this Technique
PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure
Following an initial advisory issued in May 2023, this advisory from CISA, NSA and partners outlines information on the broader campaign of cyber ...
APT40 Advisory - PRC MSS tradecraft in action
This advisory, authored by the Australian Cyber Security Centre and multiple other international cybersecurity agencies, outlines the threat posed ...
AA24-109A StopRansomware: Akira Ransomware
This is a joint #StopRansomware advisory issued by CISA and partners covering Akira ransomware attacks. According to the report, the group has ...
Investigating New INC Ransom Group Activity
This blog post from huntress discusses the ransomware group known as 'INC', breaking down the stages of an attack day by day. The Huntress team ...
From OneNote to RansomNote: An Ice Cold Intrusion
This case report from The DFIR Report describes an intrusion which started with a malicious OneNote attachment. Opening the OneNote file led to ...
Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks
This article by researchers at Trend Micro discusses an Advanced Persistent Threat (APT) group they name Earth Krahang who have been observed ...
#StopRansomware: LockBit 3.0
This #StopRansomware Cybersecurity Advisory from CISA and partners describes the operations associated with LockBit 3.0 which operates as a ...
Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally
This Cybersecurity Advisory by CISA with US and international partners outlines activity which they link to APT29 (also known as The Dukes, Cozy ...
REDCURL - The pentest you didn't know about
This report by researchers at Group-IB outlines activity by a group they call RedCurl. The report identifies victimology and motivation (corporate ...
StopRansomware: Phobos Ransomware
This is a joint Cybersecurity Advisory produced by CISA, the FBI and the Multi-State Information Sharing and Analysis Center (MS-ISAC). It ...
Mitigations for this technique
MITRE ATT&CK Mitigations
Operating System Configuration
Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.Privileged Account Management
Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.Password Policies
Set and enforce secure password policies for accounts.Behavior Prevention on Endpoint
Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.Credential Access Protection
Use capabilities to prevent successful credential access by adversaries; including blocking forms of credential dumping.Privileged Process Integrity
Protect processes with high privileges that can be used to interact with critical system components through use of protected process light, anti-process injection defenses, or other process integrity enforcement measures.User Training
Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.How to detect this technique
MITRE ATT&CK Data Components
OS API Execution (Process)
Operating system function/method calls executed by a processCommand Execution (Command)
The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )Logon Session Creation (Logon Session)
Initial construction of a successful new user logon following an authentication attempt. (e.g. Windows EID 4624, /var/log/utmp, or /var/log/wmtp)Windows Registry Key Modification (Windows Registry)
Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)Process Creation (Process)
The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)Process Access (Process)
Opening of a process by another process, typically to read memory of the target process (ex: Sysmon EID 10)Control Validation Tests for this Technique
Use Atomic Red Team tests to test your defenses against this technique.
Dump LSASS.exe Memory using direct system calls and API unhooking
Dump LSASS.exe Memory through Silent Process Exit
Dump LSASS.exe Memory using comsvcs.dll
Dump LSASS.exe Memory using ProcDump
Powershell Mimikatz
Dump LSASS with createdump.exe from .Net v5
Dump LSASS.exe Memory using Windows Task Manager
Dump LSASS.exe Memory using NanoDump
Offline Credential Theft With Mimikatz
Dump LSASS.exe using lolbin rdrleakdiag.exe
Create Mini Dump of LSASS.exe using ProcDump
LSASS read with pypykatz
Dump LSASS.exe using imported Microsoft DLLs
Dump LSASS.exe Memory using Out-Minidump.ps1
Sigma Detections for this Technique
Potential Credential Dumping Via LSASS SilentProcessExit Technique
CrackMapExec File Indicators
Time Travel Debugging Utility Usage
HackTool - Windows Credential Editor (WCE) Execution
CreateDump Process Dump
HackTool - Credential Dumping Tools Named Pipe Created
DumpMinitool Execution
LSASS Process Dump Artefact In CrashDumps Folder
Process Memory Dump via RdrLeakDiag.EXE
LSASS Dump Keyword In CommandLine
Remote LSASS Process Access Through Windows Remote Management
LSASS Access Detected via Attack Surface Reduction
Lsass Memory Dump via Comsvcs DLL
HackTool - HandleKatz Duplicating LSASS Handle
Password Dumper Remote Thread in LSASS
Windows Credential Editor Registry
Potential SysInternals ProcDump Evasion
Potentially Suspicious AccessMask Requested From LSASS
SafetyKatz Default Dump Filename
Credential Dumping Attempt Via WerFault
HackTool - CrackMapExec Process Patterns
HackTool - Generic Process Access
Procdump Execution
Cred Dump Tools Dropped Files
Potential Credential Dumping Via WER - Application
HackTool - Dumpert Process Dumper Execution
Suspicious LSASS Access Via MalSecLogon
Credential Dumping Tools Service Execution - System
HackTool - Inveigh Execution
Suspicious DumpMinitool Execution
HackTool - HandleKatz LSASS Dumper Execution
LSASS Process Memory Dump Creation Via Taskmgr.EXE
Renamed CreateDump Utility Execution
Potential Credential Dumping Attempt Via PowerShell Remote Thread
LSASS Access From Non System Account
Password Dumper Activity on LSASS
Process Access via TrolleyExpress Exclusion
Credential Dumping Activity By Python Based Tool
HackTool - SafetyKatz Execution
Unsigned Image Loaded Into LSASS Process
Potential LSASS Process Dump Via Procdump
Potential Credential Dumping Activity Via LSASS
PowerShell Get-Process LSASS in ScriptBlock
Potential Adplus.EXE Abuse
Suspicious Dump64.exe Execution
Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded
HackTool - Mimikatz Execution
LSASS Memory Access by Tool With Dump Keyword In Name
Dumping Process via Sqldumper.exe
Time Travel Debugging Utility Usage - Image
Potentially Suspicious GrantedAccess Flags On LSASS
Lsass Full Dump Request Via DumpType Registry Settings
WerFault LSASS Process Memory Dump
Antivirus Password Dumper Detection
Potential Credential Dumping Via WER
HackTool - Dumpert Process Dumper Default File
Mimikatz Use
HackTool - CreateMiniDump Execution
LSASS Process Memory Dump Files
Transferring Files with Credential Data via Network Shares
Process Memory Dump Via Comsvcs.DLL
Transferring Files with Credential Data via Network Shares - Zeek
HackTool - XORDump Execution
LSASS Access From Potentially White-Listed Processes
Suspicious Renamed Comsvcs DLL Loaded By Rundll32
Credential Dumping Tools Service Execution - Security
Potential Credential Dumping Via LSASS Process Clone
SP800-53 Controls
See which controls can help protect against this MITRE ATT&CK technique. This is based on mappings to associated SP800-53 controls produced by the MITRE Engenuity Center for Threat-Informed Defense.