1. Home
  2. ATT&CK Techniques
  3. T1003.001 LSASS Memory

T1003.001 LSASS Memory

Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct Lateral Movement using Use Alternate Authentication Material.

As well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.

For example, on the target host use procdump:

  • <code>procdump -ma lsass.exe lsass_dump</code>

Locally, mimikatz can be run using:

  • <code>sekurlsa::Minidump lsassdump.dmp</code>
  • <code>sekurlsa::logonPasswords</code>

Built-in Windows tools such as comsvcs.dll can also be used:

  • <code>rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump PID lsass.dmp full</code>(Citation: Volexity Exchange Marauder March 2021)(Citation: Symantec Attacks Against Government Sector)

Similar to Image File Execution Options Injection, the silent process exit mechanism can be abused to create a memory dump of lsass.exe through Windows Error Reporting (WerFault.exe).(Citation: Deep Instinct LSASS)

Windows Security Support Provider (SSP) DLLs are loaded into LSASS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages</code> and <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages</code>. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014)

The following SSPs can be used to access credentials:

  • Msv: Interactive logons, batch logons, and service logons are done through the MSV authentication package.
  • Wdigest: The Digest Authentication protocol is designed for use with Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges.(Citation: TechNet Blogs Credential Protection)
  • Kerberos: Preferred for mutual client-server domain authentication in Windows 2000 and later.
  • CredSSP: Provides SSO and Network Level Authentication for Remote Desktop Services.(Citation: TechNet Blogs Credential Protection)
View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.PS-01.01 Configuration baselines Mitigates T1003.001 LSASS Memory
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
References
    PR.PS-01.02 Least functionality Mitigates T1003.001 LSASS Memory
    Comments
    This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
    References
      DE.CM-09.01 Software and data integrity checking Mitigates T1003.001 LSASS Memory
      Comments
      This diagnostic statement protects against LSASS Memory through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures.
      References
        DE.CM-06.02 Third-party access monitoring Mitigates T1003.001 LSASS Memory
        Comments
        This diagnostic statement protects against LSASS Memory through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
        References
          PR.PS-01.03 Configuration deviation Mitigates T1003.001 LSASS Memory
          Comments
          This diagnostic statement provides protection from OS Credential Dumping: LSASS Memory through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and elevate privileges.
          References
            PR.PS-01.07 Cryptographic keys and certificates Mitigates T1003.001 LSASS Memory
            Comments
            This diagnostic statement protects against OS Credential Dumping: LSASS Memory through the use of revocation of keys and key management. Employing key protection strategies for key material used for protecting integrity of boot firmware, system images, and using Hardware Security Modules such as TPMs to store those keys, along with use of Credential Guard provides protection against adversaries trying to perform OS Credential dumping of LSASS memory.
            References
              PR.AA-03.01 Authentication requirements Mitigates T1003.001 LSASS Memory
              Comments
              This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
              References
                PR.AA-01.01 Identity and credential management Mitigates T1003.001 LSASS Memory
                Comments
                This diagnostic statement protects against LSASS Memory through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
                References

                  NIST 800-53 Mappings

                  Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                  CA-07 Continuous Monitoring mitigates T1003.001 LSASS Memory
                  CM-06 Configuration Settings mitigates T1003.001 LSASS Memory
                  CM-05 Access Restrictions for Change mitigates T1003.001 LSASS Memory
                  IA-05 Authenticator Management mitigates T1003.001 LSASS Memory
                  SC-03 Security Function Isolation mitigates T1003.001 LSASS Memory
                  SI-16 Memory Protection mitigates T1003.001 LSASS Memory
                  SC-28 Protection of Information at Rest mitigates T1003.001 LSASS Memory
                  SC-39 Process Isolation mitigates T1003.001 LSASS Memory
                  SI-02 Flaw Remediation mitigates T1003.001 LSASS Memory
                  SI-03 Malicious Code Protection mitigates T1003.001 LSASS Memory
                  CM-02 Baseline Configuration mitigates T1003.001 LSASS Memory
                  IA-02 Identification and Authentication (Organizational Users) mitigates T1003.001 LSASS Memory
                  CM-07 Least Functionality mitigates T1003.001 LSASS Memory
                  SI-04 System Monitoring mitigates T1003.001 LSASS Memory
                  AC-02 Account Management mitigates T1003.001 LSASS Memory
                  AC-03 Access Enforcement mitigates T1003.001 LSASS Memory
                  AC-04 Information Flow Enforcement mitigates T1003.001 LSASS Memory
                  AC-05 Separation of Duties mitigates T1003.001 LSASS Memory
                  AC-06 Least Privilege mitigates T1003.001 LSASS Memory

                  Azure Mappings

                  Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                  file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring technique_scores T1003.001 LSASS Memory
                  Comments
                  This control can be used to detect the Windows Security Support Provider (SSP) DLLs variation of this sub-technique by monitoring the Registry keys used to register these DLLs. These keys should change infrequently and therefore false positives should be minimal.
                  References
                  1. https://learn.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-overview
                  defender_for_app_service Microsoft Defender for Cloud: Defender for App Service technique_scores T1003.001 LSASS Memory
                  Comments
                  This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via the Exfiltration modules, but does not address other procedures, and temporal factor is unknown, so score is Minimal.
                  References
                  1. https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-app-service-introduction

                  GCP Mappings

                  Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                  google_secops Google Security Operations technique_scores T1003.001 LSASS Memory
                  Comments
                  Google SecOps is able to detect suspicious command-line process attempted to escalate privileges. For example: access credential material stored in the procecss memory of the Local Security Authority Subsystem Service (LSASS) on Windows machines (e.g., lsass\.exe). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/tree/main/soc_prime_rules/threat_hunting/windows
                  References
                  1. ['https://cloud.google.com/security/products/security-operations'
                  2. 'https://github.com/chronicle/detection-rules']