LSASS Memory

Information

• Name: LSASS Memory

• ID: T1003.001

• Tactics: TA0006

• Technique: T1003

Introduction

LSASS Memory (T1003.001) is a sub-technique within the Credential Dumping tactic (T1003) of the MITRE ATT&CK framework. This sub-technique specifically involves attackers targeting the Local Security Authority Subsystem Service (LSASS) process memory on Windows systems to extract sensitive credential information. LSASS is responsible for enforcing security policies and handling user authentication, making it a prime target for attackers seeking to escalate privileges, move laterally, or maintain persistence within a compromised network.

Deep Dive Into Technique

Attackers utilize various methods and tools to dump credentials from LSASS memory. The LSASS process stores credentials such as NTLM hashes, Kerberos tickets, plaintext passwords (in some cases), and other authentication data. Commonly employed methods include:

• Process Dumping: Attackers use tools like ProcDump, Task Manager, or built-in Windows utilities (e.g., MiniDumpWriteDump API calls) to create a memory dump of the LSASS process. Once dumped, attackers transfer the memory dump file to their own systems for offline credential extraction.

• Direct Memory Access: Tools such as Mimikatz, Invoke-Mimikatz (PowerShell implementation), or custom scripts directly access LSASS memory to extract credentials in real-time without creating a dump file.

• API Calls and System Utilities: Attackers leverage legitimate Windows features like comsvcs.dll (e.g., rundll32.exe comsvcs.dll, MiniDump) or PowerShell scripts to dump LSASS memory stealthily.

• Privilege Requirements: Typically, administrative privileges or SYSTEM-level access are required to successfully dump LSASS memory. Attackers often escalate privileges prior to performing this technique.

Real-world procedures often follow these steps:

1. Gain initial foothold on the target system through phishing, exploitation, or other entry vectors.

2. Escalate privileges to administrative level or SYSTEM.

3. Dump LSASS memory using chosen method/tool.

4. Extract credentials (hashes, tickets, plaintext passwords) offline or in real-time.

5. Use extracted credentials for lateral movement, persistence, or further exploitation.

When this Technique is Usually Used

Attackers commonly employ LSASS memory dumping during several stages and scenarios of an attack lifecycle:

• Privilege Escalation Stage: After initial access, attackers attempt to escalate privileges by extracting administrative credentials stored in LSASS.

• Lateral Movement Stage: Credentials extracted from LSASS memory enable attackers to move laterally across networked systems without triggering additional alarms or authentication failures.

• Persistence Stage: Attackers store obtained credentials for persistent access, even if initial entry points become unavailable.

• Post-Exploitation Reconnaissance: Attackers use dumped credentials to map internal networks, identify critical assets, and plan further exploitation.

• Credential Harvesting Campaigns: Organized threat actors and ransomware operators often use LSASS memory dumping as part of their standard pre-deployment procedures.

How this Technique is Usually Detected

Detection methods and tools for LSASS memory dumping typically include:

• Endpoint Detection and Response (EDR) Solutions: Tools such as CrowdStrike Falcon, Microsoft Defender for Endpoint, Carbon Black, and SentinelOne monitor suspicious LSASS memory access and dumping events.

• Sysmon Logs: Monitoring Sysmon Event ID 10 (ProcessAccess) can detect suspicious process interactions with LSASS.exe.

• Windows Event Logs: Events such as Event ID 4656 (Handle requested to LSASS.exe) and Event ID 4663 (Attempted access to LSASS memory) can indicate suspicious behavior.

• Memory Dump File Detection: Monitoring for creation of suspicious dump files (e.g., lsass.dmp) on disk.

• Behavioral Analytics: SIEM solutions and behavioral analytics tools detect unusual process interactions, API calls, or unexpected LSASS memory access.

• Indicators of Compromise (IoCs):

  • Suspicious command-line invocation (e.g., rundll32.exe comsvcs.dll, MiniDump).

  • Presence or execution of known credential dumping tools (Mimikatz, ProcDump, Invoke-Mimikatz).

  • Unusual file creations (e.g., .dmp files) in temporary or unusual directories.

  • Suspicious PowerShell scripts or encoded commands targeting LSASS.

Why it is Important to Detect This Technique

Early detection of LSASS memory dumping is crucial due to its significant impact on system and network security:

• Credential Exposure: Attackers gain access to sensitive credentials, enabling privilege escalation, lateral movement, and persistence.

• Rapid Attack Progression: Once credentials are harvested from LSASS, attackers can quickly compromise additional systems, amplifying the scale and severity of breaches.

• Data Exfiltration Risks: Compromised credentials facilitate unauthorized access to critical data, leading to potential data theft, leakage, or ransomware deployment.

• Compliance and Regulatory Issues: Credential theft and unauthorized access can trigger compliance violations, regulatory fines, and legal repercussions.

• Reputation Damage: Credential dumping attacks often lead to severe reputational harm, loss of customer trust, and financial impacts.

Early detection and rapid response to LSASS memory dumping events significantly reduce attacker dwell time, minimize potential damage, and enhance overall cybersecurity resilience.

Examples

Real-world examples and attack scenarios involving LSASS memory dumping include:

• Mimikatz Usage in APT Attacks:

  • Attackers leverage Mimikatz to directly extract credentials from LSASS memory.

  • Commonly used by groups such as APT28 (Fancy Bear), APT29 (Cozy Bear), and others.

  • Credentials obtained facilitate lateral movement, persistence, and data exfiltration.

• Ryuk Ransomware Attacks:

  • Ryuk operators frequently use LSASS memory dumping (via built-in tools or Mimikatz) to gather administrative credentials before deploying ransomware payloads.

  • Credentials extracted enable rapid lateral movement and widespread encryption of critical assets.

• TrickBot Malware Campaigns:

  • TrickBot malware incorporates modules specifically designed to dump LSASS memory.

  • Extracted credentials are used to infect additional systems, deploy secondary payloads (Emotet, Ryuk), and escalate attacks.

• FIN7 Attack Group Operations:

  • FIN7 attackers routinely use LSASS memory dumping techniques to obtain credentials.

  • Credentials facilitate lateral movement, access to payment systems, and theft of sensitive financial data.

• Use of ProcDump and Built-in Windows Utilities:

  • Attackers leverage legitimate tools like ProcDump or rundll32.exe with comsvcs.dll to evade detection.

  • These methods create legitimate-looking memory dump files, complicating detection efforts.

These examples highlight the widespread use of LSASS memory dumping across various threat actors, attack types, and scenarios, underscoring the critical importance of proactive detection and mitigation strategies.