MITRE ATT&CK / T1003.001
T1003.001
LSASS Memory
Description
Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct [Lateral Movement](https://attack.mitre.org/tactics/TA0008) using [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550).As well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.For example, on the target host use procdump:* <code>procdump -ma lsass.exe lsass_dump</code>Locally, mimikatz can be run using:* <code>sekurlsa::Minidump lsassdump.dmp</code> * <code>sekurlsa::logonPasswords</code>Built-in Windows tools such as `comsvcs.dll` can also be used:* <code>rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump PID lsass.dmp full</code>(Citation: Volexity Exchange Marauder March 2021)(Citation: Symantec Attacks Against Government Sector)Similar to [Image File Execution Options Injection](https://attack.mitre.org/techniques/T1546/012), the silent process exit mechanism can be abused to create a memory dump of `lsass.exe` through Windows Error Reporting (`WerFault.exe`).(Citation: Deep Instinct LSASS)Windows Security Support Provider (SSP) DLLs are loaded into LSASS process at system start. Once loaded into the LSA, S…
Platforms
Mitigations
- M1028 — Operating System Configuration
- M1043 — Credential Access Protection
- M1025 — Privileged Process Integrity
- M1026 — Privileged Account Management
- M1017 — User Training
- M1040 — Behavior Prevention on Endpoint
- M1027 — Password Policies
Use our free MITRE ATT&CK lookup tool, or browse the full ATT&CK matrix.
Our coverage
Source: MITRE ATT&CK Enterprise matrix. View on attack.mitre.org →