Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct Lateral Movement using Use Alternate Authentication Material.
As well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.
For example, on the target host use procdump:
Locally, mimikatz can be run using:
Windows Security Support Provider (SSP) DLLs are loaded into LSSAS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages</code> and <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages</code>. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014)
The following SSPs can be used to access credentials:
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
AC-2 | Account Management | Protects | T1003.001 | LSASS Memory | |
AC-3 | Access Enforcement | Protects | T1003.001 | LSASS Memory | |
AC-4 | Information Flow Enforcement | Protects | T1003.001 | LSASS Memory | |
AC-5 | Separation of Duties | Protects | T1003.001 | LSASS Memory | |
AC-6 | Least Privilege | Protects | T1003.001 | LSASS Memory | |
CA-7 | Continuous Monitoring | Protects | T1003.001 | LSASS Memory | |
CM-2 | Baseline Configuration | Protects | T1003.001 | LSASS Memory | |
CM-5 | Access Restrictions for Change | Protects | T1003.001 | LSASS Memory | |
CM-6 | Configuration Settings | Protects | T1003.001 | LSASS Memory | |
CM-7 | Least Functionality | Protects | T1003.001 | LSASS Memory | |
IA-2 | Identification and Authentication (organizational Users) | Protects | T1003.001 | LSASS Memory | |
IA-5 | Authenticator Management | Protects | T1003.001 | LSASS Memory | |
SC-28 | Protection of Information at Rest | Protects | T1003.001 | LSASS Memory | |
SC-39 | Process Isolation | Protects | T1003.001 | LSASS Memory | |
SI-3 | Malicious Code Protection | Protects | T1003.001 | LSASS Memory | |
SI-4 | System Monitoring | Protects | T1003.001 | LSASS Memory | |
azure_sentinel | Azure Sentinel | technique_scores | T1003.001 | LSASS Memory |
Comments
The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which contains an implementation of Mimikatz to gather credentials from memory, but does not address other procedures.
References
|
file_integrity_monitoring | File Integrity Monitoring | technique_scores | T1003.001 | LSASS Memory |
Comments
This control can be used to detect the Windows Security Support Provider (SSP) DLLs variation of this sub-technique by monitoring the Registry keys used to register these DLLs. These keys should change infrequently and therefore false positives should be minimal.
References
|
azure_defender_for_app_service | Azure Defender for App Service | technique_scores | T1003.001 | LSASS Memory |
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via the Exfiltration modules, but does not address other procedures, and temporal factor is unknown, so score is Minimal.
References
|