Potential Credential Dumping Activity via LSASS Process Access
Adversaries frequently target the Local Security Authority Subsystem Service (LSASS) process on Windows systems to dump credentials, employing tools like Mimikatz, NanoDump, or Procdump to extract sensitive authentication material for lateral movement and persistence.
Credential dumping from the Local Security Authority Subsystem Service (LSASS) is a critical post-exploitation technique widely utilized by adversaries to steal user credentials, often leading to significant compromises including lateral movement, privilege escalation, and data exfiltration. Attackers leverage various tools, such as Mimikatz, NanoDump, Invoke-Mimikatz, or even built-in Windows utilities like Task Manager or Procdump, to access the memory of the lsass.exe process. This memory contains sensitive authentication data, including NTLM hashes and Kerberos tickets, which can then be used in pass-the-hash or pass-the-ticket attacks. Detecting these attempts is crucial for identifying an adversary's presence on a compromised system and preventing further progression of an attack. The technique is a staple for many threat groups, from financially motivated cybercriminals to state-sponsored APTs.
Attack Chain
- Initial Compromise: An adversary first gains initial access to a Windows system, typically through phishing, exploitation of a vulnerability, or other initial access vectors.
- Execution of Dumping Tool: The attacker executes a credential dumping tool (e.g.,
mimikatz.exe,NanoDump.exe,procdump.exe, or a PowerShell script likeInvoke-Mimikatz). - Process Open Request: The executed tool attempts to open the
lsass.exeprocess to gain read access to its memory. - Granted Access Negotiation: The tool requests specific memory access rights to
lsass.exe(e.g.,0x1038forPROCESS_VM_READ | PROCESS_QUERY_INFORMATION). - Memory Access and Dumping: The tool uses specific system libraries and functions (e.g.,
dbgcore.dll,dbghelp.dll,kernel32.dll,kernelbase.dll,ntdll.dll) to access and dump thelsass.exeprocess memory. - Credential Extraction: Sensitive information such as NTLM hashes, Kerberos tickets, or plaintext passwords are extracted from the dumped memory.
- Post-Dumping Activity: The adversary uses the harvested credentials for lateral movement within the network, privilege escalation, or maintaining persistence.
Impact
Successful credential dumping from LSASS allows attackers to gain unauthorized access to other systems and services within an organization, escalating privileges and enabling widespread lateral movement. This can lead to a complete compromise of the domain, including access to sensitive data, intellectual property, or critical infrastructure. Organizations can face severe financial losses from data breaches, regulatory fines, operational disruption, and significant reputational damage. The average cost of a data breach can run into millions of dollars, with credential theft being a primary enabler of these breaches.
Recommendation
- Deploy the Sigma rule "Potential Credential Dumping Activity Via LSASS" to your SIEM to detect process access to
lsass.exewith suspicious access masks and call traces. - Ensure Sysmon (specifically ProcessAccess events) is configured to capture
process_accessevents for thelsass.exeprocess on all critical Windows endpoints. - Implement strong access controls and Least Privilege principles to limit the ability of non-administrative users and processes to open
lsass.exefor memory read operations. - Regularly review
process_accesslogs for suspicious activity targetinglsass.exe, especially from processes that are not standard system utilities or security software.
Detection coverage 1
Potential Credential Dumping Activity Via LSASS
mediumDetects process access requests to the LSASS process with specific call trace calls and access masks, indicative of credential dumping tools like Mimikatz or Procdump.
Detection queries are available on the platform. Get full rules →