Why do adversaries use LSASS Memory?
Adversaries commonly abuse the Local Security Authority Subsystem Service (LSASS) to dump credentials for privilege escalation, data theft, and lateral movement. The process is a fruitful target for adversaries because of the sheer amount of sensitive information it stores in memory. Upon starting up, LSASS contains valuable authentication data such as:
- encrypted passwords
- NT hashes
- LM hashes
- Kerberos tickets
The LSASS process is typically the first that adversaries target to obtain credentials. Post-exploitation frameworks like Cobalt Strike import and customize existing code from credential theft tools like Mimikatz, allowing operators to easily access LSASS via beacons.
How do adversaries use LSASS Memory?
Adversaries use a variety of tools and methods to dump or scan the process memory space of LSASS. Whatever method they choose, the ultimate goal is to obtain credentials, move laterally, and access valuable systems. In the abstract, LSASS abuse can be categorized broadly into two substantially overlapping categories:
- native processes
- custom adversary tools
The tooling that adversaries use to extract credentials from LSASS Memory exists on a spectrum ranging from legitimate to dual-purpose to overtly malicious. More often than not, adversaries drop and execute trusted administrative tools onto their target, so we’ll organize our analysis going from legitimate to ambiguous to malicious—starting with processes.
The Windows Task Manager (
taskmgr.exe) and the Windows DLL Host (
rundll32.exe) are the two built-in utilities that adversaries seem to abuse most often. Task Manager is capable of dumping arbitrary process memory if executed under a privileged user account. It’s as simple as right-clicking on the LSASS process and hitting “Create Dump File.” The Create Dump File calls the
MiniDumpWriteDump function implemented in
dbgcore.dll. Additionally, Rundll32 can execute the Windows native DLL
comsvcs.dll, which exports a function called
MiniDump. When this export function is called, adversaries can feed in a process ID such as LSASS and create a MiniDump file.
Adversaries frequently co-opt a number of Sysinternals tools to access the memory contents of LSASS. A few of the standouts include: Sysinternals Procdump, Sysinternals Process Explorer, and Microsoft’s SQLDumper.exe.
We aren’t always able to reliably differentiate when an offensive security tool is used by a red team or an adversary. In fact, as much as a quarter of our detections may be triggered by sanctioned tests, so we detect the following irrespective of intent. That said, the LSASS-abusing tools we commonly see include:
Other threats that have abused LSASS Memory include TrickBot, Zoremov, and Rose Flamingo.