H3-2021-0044

Credential Dumping - Local Security Authority Subsystem Service (LSASS) Memory

Category	SECURITY_CONTROLS
Base Score	7.2

Description

The Local Security Authority Subsystem Service (LSASS) is a Windows process that caches credential material in memory for users with active Windows sessions. Attackers with administrative privileges can extract these credentials from LSASS process memory using a variety of tools such as Mimikatz, procdump, and LaZagne.

Impact

Attackers who obtain cleartext credentials or NTLM hashes from LSASS memory can directly login with those credentials. Domain user credentials can be used to move laterally across the Active Directory environment. Attackers can also exploit password re-use to move laterally.

References

• MITRE ATT&CK Technique: OS Credential Dumping: LSASS Memory
• Local Administrator Password Solution (LAPS)
• Manage Windows Defender Credential Guard
• Attack Surface Reduction