LSASS Memory

Executive Summary

The Local Security Authority Subsystem Service (lsass.exe) enforces Windows security policy and processes authentication. Depending on system configuration and active sessions, its memory may contain credential material useful for lateral movement or privilege escalation. Adversaries therefore attempt to read LSASS directly, create a process dump, or obtain equivalent access through a signed utility, driver, or injected process.

Why Attackers Use It

• Credential material from active privileged sessions may unlock additional systems.
• One successful dump can expose several users, service accounts, hashes, tickets, or authentication packages.
• Dumping may be performed with native or signed components rather than a clearly malicious binary.
• Offline parsing separates collection from later credential extraction.

MITRE Description

MITRE classifies access to LSASS memory as T1003.001, a sub-technique of OS Credential Dumping. Implementations include opening the LSASS process, creating a minidump, abusing diagnostic facilities, loading a driver, or parsing a dump elsewhere. Available secrets vary with Windows version, authentication method, Credential Guard, LSA protection, and current logon sessions.

Attack Flow

1. The adversary obtains local administrative or SYSTEM-level capability, or exploits a path that grants equivalent process access.
2. A process identifies LSASS and requests a sensitive handle, loads supporting code, or invokes a dump mechanism.
3. LSASS memory is read directly or written to a dump file.
4. Credential tooling parses memory structures locally or after the dump is moved.
5. Recovered hashes, tickets, or secrets are used for lateral movement, persistence, or further credential access.

Prerequisites

• Local privilege sufficient to access the protected LSASS process.
• A host with useful active or cached authentication material.
• A collection method compatible with LSA protection, Credential Guard, and endpoint controls.
• File-system access if a dump is written to disk.

Common Tools

• Mimikatz and credential-parsing frameworks
• ProcDump and other diagnostic dump utilities
• Windows comsvcs.dll MiniDump behavior
• Task Manager dump functionality
• Security-support and forensic tools that can create legitimate process dumps

Commands

Recognition patterns for authorized laboratories and defensive testing:

procdump.exe -ma lsass.exe <dump-file>
rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump <lsass-pid> <dump-file> full
mimikatz "sekurlsa::minidump <dump-file>" "sekurlsa::logonpasswords"

Detection should focus on LSASS access, dump creation, process ancestry, signer, path, and subsequent credential use—not command strings alone.

Network Traffic

LSASS collection is primarily local and may generate no network traffic. Network evidence usually appears when tooling is delivered, a dump is staged or exfiltrated, or recovered credentials are reused. Correlate the endpoint event with SMB, WinRM, RDP, cloud authentication, or other lateral activity occurring shortly afterward.

Windows Events

Sysmon Events

Detection Opportunities

• Monitor Sysmon Event 10 for uncommon processes opening LSASS with rights capable of reading memory.
• Detect process-dump tools targeting LSASS and comsvcs.dll MiniDump invocation.
• Identify dump files created outside approved diagnostic paths or by unexpected parents.
• Alert on unsigned, user-writable-path, or unusual processes accessing LSASS.
• Correlate LSASS access with driver loads, endpoint-security tampering, dump compression, file transfer, and subsequent authentication.
• Baseline legitimate EDR, antivirus, accessibility, and support tools before enforcing broad blocks.

Sigma Rules

title: Suspicious Process Access to LSASS
id: a09a8844-55a9-4dc1-a8de-44e9007c6072
status: experimental
description: Detects uncommon processes requesting high-risk access to LSASS through Sysmon process-access telemetry.
logsource:
  product: windows
  category: process_access
detection:
  selection:
    TargetImage|endswith: '\\lsass.exe'
    GrantedAccess|contains:
      - '0x1010'
      - '0x1410'
      - '0x1438'
      - '0x1fffff'
  filter_system:
    SourceImage|startswith:
      - 'C:\\Windows\\System32\\'
      - 'C:\\Program Files\\'
  condition: selection and not filter_system
falsepositives:
  - Security products and approved diagnostic tooling
level: high
tags:
  - attack.credential-access
  - attack.t1003.001

Splunk Queries

index=sysmon EventCode=10 TargetImage="*\\lsass.exe"
| eval source=lower(SourceImage)
| where match(GrantedAccess,"(?i)0x(1010|1410|1438|1fffff)")
| stats count values(GrantedAccess) as access values(CallTrace) as call_trace by host user SourceImage TargetImage
| sort - count

Investigation Workflow

1. Confirm the source process, parent, user, integrity level, signer, hash, path, granted access, and call trace.
2. Determine whether the source belongs to approved security or diagnostic software and whether the activity matches an authorized support case.
3. Search for dump files, archives, renamed outputs, deleted files, and outbound transfers around the event.
4. Review preceding privilege escalation, driver loading, endpoint-security changes, PowerShell, service creation, and remote access.
5. Identify accounts logged on to the host during the exposure window and classify their privilege.
6. Search for subsequent NTLM, Kerberos, RDP, SMB, WinRM, VPN, and cloud authentication by exposed identities.
7. Scope other hosts that executed the same binary or hash and preserve relevant memory or disk evidence where appropriate.

Containment

1. Isolate the host if malicious LSASS access is confirmed.
2. Disable or restrict exposed privileged identities and revoke active sessions.
3. Rotate potentially exposed passwords, service credentials, and relevant keys using a privilege-aware sequence.
4. Block confirmed malicious hashes, certificates, drivers, or execution paths.
5. Preserve dump files and endpoint telemetry before remediation when incident procedures require it.

Mitigation

• Enable Credential Guard on supported systems.
• Configure LSASS to run as a protected process and monitor audit-mode compatibility results.
• Apply the Defender attack-surface-reduction rule that blocks credential stealing from LSASS where operationally suitable.
• Reduce local administration and privileged interactive logons.
• Use separate administrative accounts and hardened administrative workstations.
• Maintain endpoint protection tamper controls and monitor driver installation.

Related Techniques

• T1003 — OS Credential Dumping
• T1027.005 — Indicator Removal from Tools
• T1055 — Process Injection
• T1550.002 — Pass the Hash
• T1550.003 — Pass the Ticket