LSASS Memory
https://attack.mitre.org/techniques/T1003/001/
Last updated
Was this helpful?
https://attack.mitre.org/techniques/T1003/001/
Last updated
Was this helpful?
ATT&CK ID:
Permissions Required: Administrator | SYSTEM
Description
Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct using .
As well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.
Mimikatz
can then be used to pull information from the lsass_dump.dmp
file.
The storage mechanism used by WDigest stores passwords in clear text in memory. If an adversary gains access to a system , they can utilize tools like Mimikatz and Lsassy to retrieve not only the password hashes stored in memory, but also the actual passwords in clear text
As a consequence, the attacker would not be restricted to only Pass-the-Hash methods of lateral movement, but could potentially gain access to other resources such as Exchange, internal websites, and any other systems that require a user ID and password for authentication.
With Administrative RDP or interactive logon it is possible to create a dump file from Lsass.exe using Task Manger.
Lsass.exe -> Right Click -> Create Dump File
Use Mimikatz to read the dump file after transfering the file to an attacker controlled system
URL: