Listen to this Post

Introduction:
The Local Security Authority Subsystem Service (LSASS) is the crown jewel of Windows authentication, storing hashes, Kerberos tickets, and plaintext credentials under certain configurations. Adversaries exploit LSASS credential dumping to elevate privileges and move laterally across networks, making it one of the most dangerous post‑exploitation techniques in the MITRE ATT&CK framework.
Learning Objectives:
- Understand what secrets LSASS stores and how attackers dump them using tools like Mimikatz, ProcDump, and comsvcs.dll.
- Implement defensive layers including Credential Guard, LSASS as a Protected Process Light (PPL), and Attack Surface Reduction (ASR) rules.
- Detect LSASS access anomalies via Sysmon, Event Logs, and SIEM queries to block credential theft in real time.
You Should Know:
- What LSASS Stores and Why Attackers Target It
LSASS handles logon sessions, password changes, and security policies. It caches:
– NTLM hashes (allowing pass‑the‑hash attacks)
– Kerberos ticket‑granting tickets (TGTs) and service tickets
– LSA secrets (e.g., cached domain credentials, service account passwords)
– Plaintext credentials if WDigest is enabled (Windows 8.1/Server 2012 R2 and later disable it by default, but attackers can re‑enable it)
Step‑by‑step guide to inspect LSASS memory content (defensive perspective):
On Windows (admin PowerShell):
View LSASS process ID Get-Process lsass Check if WDigest is enabled (0 = disabled, 1 = enabled) Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" -Name "UseLogonCredential"
To see loaded security packages:
reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v SecurityPackages
Attackers commonly use Mimikatz to dump LSASS:
mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit"
2. Enabling Credential Guard to Virtualize LSASS
Credential Guard uses virtualization‑based security (VBS) to isolate LSASS from the kernel, blocking direct memory reads even from SYSTEM processes.
Step‑by‑step enablement (Windows 10/11 Enterprise or Server 2016+):
1. Verify hardware support:
Get-WindowsOptionalFeature -Online -FeatureName "Microsoft-Hyper-V-Platform" Also confirm: UEFI lock, Virtualization Extensions, TPM 2.0
2. Enable via Group Policy:
- Open `gpedit.msc` → Computer Config → Administrative Templates → System → Device Guard
- Enable “Turn On Virtualization Based Security”
- Set “Credential Guard Configuration” to “Enabled with UEFI lock”
3. Deploy via PowerShell:
$settings = @{
"EnableVirtualizationBasedSecurity" = 1
"RequirePlatformSecurityFeatures" = 1
"EnableCredentialGuard" = 1
}
New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard" -Force
$settings.Keys | ForEach-Object { Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard" -Name $_ -Value $settings[$_] -Type DWord }
Reboot twice. Verify with:
Get-ComputerInfo -Property "DeviceGuard"
- Configuring LSASS as a Protected Process Light (PPL)
PPL prevents non‑PPL processes (e.g., Mimikatz running as admin) from opening LSASS with necessary access rights (PROCESS_VM_READ, PROCESS_QUERY_INFORMATION).
Step‑by‑step configuration:
Edit Registry:
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v RunAsPPL /t REG_DWORD /d 1 /f reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v RunAsPPLBoot /t REG_DWORD /d 1 /f
To enforce even after Windows updates, set via Group Policy:
– Computer Config → Policies → Windows Settings → Security Settings → Local Policies → Security Options
– “Configure LSASS to run as a protected process” = Enabled (with UEFI lock)
Verify LSASS runs with PPL:
Get-Process lsass | Select-Object -ExpandProperty ProcessName; fls -p (Get-Process lsass).Id | findstr /i "protected"
Note: Even PPL can be bypassed by PPL‑like drivers (e.g., using a signed malicious driver), but it raises the bar significantly.
- Attack Surface Reduction (ASR) Rules to Block Credential Dumping
Windows Defender ASR rule `D4F940AB-401B-4EFC-AADC-AD5F3C50688A` (Block credential stealing from LSASS) prevents processes from accessing LSASS for credential dumping.
Step‑by‑step enablement via PowerShell:
Add the ASR rule Add-MpPreference -AttackSurfaceReductionRules_Ids "D4F940AB-401B-4EFC-AADC-AD5F3C50688A" -AttackSurfaceReductionRules_Actions Enabled Set to audit mode first (test impact) Add-MpPreference -AttackSurfaceReductionRules_Ids "D4F940AB-401B-4EFC-AADC-AD5F3C50688A" -AttackSurfaceReductionRules_Actions Audit For Windows Server, install Defender for Endpoint features
Combine with another ASR rule `9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2` (Block process creations originating from PSExec and WMI commands) to stop lateral movement after dumping.
Monitor ASR blocks in Event Viewer → Microsoft-Windows-Windows Defender/Operational (Event ID 1121).
5. SIEM Detection Queries for LSASS Access Anomalies
Attackers bypass built‑in protections by using procdump, comsvcs.dll, or MiniDump functions. Monitor these indicators.
Step‑by‑step: Deploy Sysmon (Event ID 10 – ProcessAccess) to log any process opening LSASS with `GENERIC_ALL` or PROCESS_VM_READ.
Sysmon configuration snippet (install via sysmon64 -accepteula -i config.xml):
<Sysmon> <EventFiltering> <ProcessAccess onmatch="include"> <TargetImage condition="end with">lsass.exe</TargetImage> <AccessMask condition="bitmask all">0x001F0FFF</AccessMask> </ProcessAccess> </EventFiltering> </Sysmon>
SIEM query (Splunk/KQL example) to detect known dump tools:
EventID=10 TargetImage=lsass.exe SourceImage IN ("procdump", "mimikatz", "comsvcs.dll", "sqldumper")
Enable command line logging (Event ID 4688 with command line via GPO) to catch suspicious arguments:
Via GPO: Computer Config → Policies → Windows Settings → Security → Advanced Audit Policy → Detailed Tracking → "Audit Process Creation"
6. Least Privilege and Mitigation of Credential Reuse
The best defense is preventing attackers from obtaining high‑privilege credentials in the first place.
Step‑by‑step hardening:
- Remove local admin rights from users; use LAPS (Local Administrator Password Solution) for unique, rotating local admin passwords.
- Enforce Microsoft’s “Protected Users” group for all high‑value accounts – members cannot use NTLM or weak Kerberos encryption.
- Disable WDigest permanently:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" -Name "UseLogonCredential" -Value 0 -Type DWord -Force
- Restrict debug privilege (
SeDebugPrivilege) – only Administrators should have it, and even then limit via “Restricted Groups” GPO.
Example to enumerate who has SeDebugPrivilege:
whoami /priv Or use `secedit /export /cfg sec.cfg` and search for SeDebugPrivilege
What Undercode Say:
- LSASS credential dumping remains rampant because many organizations still rely on unsupported defenses like simple antivirus, while attackers use signed, living‑off‑the‑land binaries (e.g., comsvcs.dll, Task Manager’s dump) that bypass legacy tools. Credential Guard and LSASS PPL together block over 95% of commodity dumpers, but require TPM 2.0 and UEFI lock to prevent easy disabling.
- Modern detection must move beyond hash alerts – watch for unusual processes (even signed ones like
rundll32.exe) calling `MiniDumpWriteDump` on LSASS. Combine ASR rules with Sysmon and a SIEM that correlates LSASS access with anomalous source process ancestry (e.g., a VBScript spawning procdump).
Prediction:
By 2027, Microsoft will likely deprecate LSASS as a single‑process authentication authority, moving towards a fully isolated “Authentication Virtualization Service” running in a separate hypervisor partition by default. However, until then, credential dumping will escalate with AI‑driven red teams using dynamic payloads that bypass static ASR rules. Organizations failing to implement VBS‑based protections will face automated credential harvesters that spread across cloud‑connected hybrid identities, leading to more ransomware incidents where attackers dump LSASS from memory dumps staged in Azure Blob or AWS S3. The only sustainable solution is a defense‑in‑depth approach: zero standing privileges, just‑in‑time admin access, and continuous LSASS memory integrity attestation.
▶️ Related Video (78% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Abelousova Credential – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


