LSASS Memory
https://attack.mitre.org/techniques/T1003/001/
ATT&CK ID: T1003.001
Permissions Required: Administrator | SYSTEM
Description
Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct Lateral Movement using Use Alternate Authentication Material.
As well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.
Techniques
comsvcs.dll
Mimikatz
Procdump
URL: https://docs.microsoft.com/en-us/sysinternals/downloads/procdump
Mimikatz can then be used to pull information from the lsass_dump.dmp file.
Dumping cleartext credentials
The storage mechanism used by WDigest stores passwords in clear text in memory. If an adversary gains access to a system , they can utilize tools like Mimikatz and Lsassy to retrieve not only the password hashes stored in memory, but also the actual passwords in clear text
As a consequence, the attacker would not be restricted to only Pass-the-Hash methods of lateral movement, but could potentially gain access to other resources such as Exchange, internal websites, and any other systems that require a user ID and password for authentication.
Task Manager / RDP
With Administrative RDP or interactive logon it is possible to create a dump file from Lsass.exe using Task Manger.
Lsass.exe -> Right Click -> Create Dump File
Use Mimikatz to read the dump file after transfering the file to an attacker controlled system
Last updated
