Home
ATT&CK Techniques
T1003.001 LSASS Memory

T1003.001 LSASS Memory Mappings

Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct Lateral Movement using Use Alternate Authentication Material.

As well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.

For example, on the target host use procdump:

<code>procdump -ma lsass.exe lsass_dump</code>

Locally, mimikatz can be run using:

<code>sekurlsa::Minidump lsassdump.dmp</code>
<code>sekurlsa::logonPasswords</code>

Windows Security Support Provider (SSP) DLLs are loaded into LSSAS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages</code> and <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages</code>. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014)

The following SSPs can be used to access credentials:

Msv: Interactive logons, batch logons, and service logons are done through the MSV authentication package.
Wdigest: The Digest Authentication protocol is designed for use with Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges.(Citation: TechNet Blogs Credential Protection)
Kerberos: Preferred for mutual client-server domain authentication in Windows 2000 and later.
CredSSP: Provides SSO and Network Level Authentication for Remote Desktop Services.(Citation: TechNet Blogs Credential Protection)

View in MITRE ATT&CK®

Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name
AC-2	Account Management	Protects	T1003.001	LSASS Memory
AC-3	Access Enforcement	Protects	T1003.001	LSASS Memory
AC-4	Information Flow Enforcement	Protects	T1003.001	LSASS Memory
AC-5	Separation of Duties	Protects	T1003.001	LSASS Memory
AC-6	Least Privilege	Protects	T1003.001	LSASS Memory
CA-7	Continuous Monitoring	Protects	T1003.001	LSASS Memory
CM-2	Baseline Configuration	Protects	T1003.001	LSASS Memory
CM-5	Access Restrictions for Change	Protects	T1003.001	LSASS Memory
CM-6	Configuration Settings	Protects	T1003.001	LSASS Memory
CM-7	Least Functionality	Protects	T1003.001	LSASS Memory
IA-2	Identification and Authentication (organizational Users)	Protects	T1003.001	LSASS Memory
IA-5	Authenticator Management	Protects	T1003.001	LSASS Memory
SC-28	Protection of Information at Rest	Protects	T1003.001	LSASS Memory
SC-39	Process Isolation	Protects	T1003.001	LSASS Memory
SI-3	Malicious Code Protection	Protects	T1003.001	LSASS Memory
SI-4	System Monitoring	Protects	T1003.001	LSASS Memory
action.malware.variety.Password dumper	Password dumper (extract credential hashes)	related-to	T1003.001	OS Credential Dumping: LSASS Memory
action.malware.variety.RAM scraper	RAM scraper or memory parser (capture data from volatile memory)	related-to	T1003.001	OS Credential Dumping: LSASS Memory