H3-2021-0044¶

Credential Dumping - Local Security Authority Subsystem Service (LSASS) Memory

Description¶

The Local Security Authority Subsystem Service (LSASS) is a Windows process that caches credential material in memory for users with active Windows sessions. Attackers with administrative privileges can extract these credentials from LSASS process memory using a variety of tools such as Mimikatz, procdump, and LaZagne.

Impact¶

Attackers who obtain cleartext credentials or NTLM hashes from LSASS memory can directly login with those credentials. Domain user credentials can be used to move laterally across the Active Directory environment. Attackers can also exploit password re-use to move laterally.

References¶

• Local Administrator Password Solution (LAPS)
• Manage Windows Defender Credential Guard
• Attack Surface Reduction
• MITRE ATT&CK Technique: OS Credential Dumping: LSASS Memory