Description
Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct Lateral Movement using Use Alternate Authentication Material.
As well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.
For example, on the target host use procdump:
procdump -ma lsass.exe lsass_dump
Locally, mimikatz can be run using:
sekurlsa::Minidump lsassdump.dmp
sekurlsa::logonPasswords
Built-in Windows tools such as comsvcs.dll can also be used:
rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump PID lsass.dmp full(Citation: Volexity Exchange Marauder March 2021)(Citation: Symantec Attacks Against Government Sector)
Similar to Image File Execution Options Injection, the silent process exit mechanism can be abused to create a memory dump of lsass.exe through Windows Error Reporting (WerFault.exe).(Citation: Deep Instinct LSASS)
Windows Security Support Provider (SSP) DLLs are loaded into LSASS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages and HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014)
The following SSPs can be used to access credentials:
Msv: Interactive logons, batch logons, and service logons are done through the MSV authentication package. Wdigest: The Digest Authentication protocol is designed for use with Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges.(Citation: TechNet Blogs Credential Protection) Kerberos: Preferred for mutual client-server domain authentication in Windows 2000 and later. CredSSP: Provides SSO and Network Level Authentication for Remote Desktop Services.(Citation: TechNet Blogs Credential Protection)
Mimikatz Tutorial
Read our in-depth pentesting guide related to this technique
Platforms
Mitigations (7)
Operating System ConfigurationM1028
Consider disabling or restricting NTLM.(Citation: Microsoft Disable NTLM Nov 2012) Consider disabling WDigest authentication.(Citation: Microsoft WDigest Mit)
Credential Access ProtectionM1043
With Windows 10, Microsoft implemented new protections called Credential Guard to protect the LSA secrets that can be used to obtain credentials through forms of credential dumping. It is not configured by default and has hardware and firmware system requirements. It also does not protect against all forms of credential dumping.(Citation: TechNet Credential Guard)(Citation: GitHub SHB Credential G
Privileged Process IntegrityM1025
On Windows 8.1 and Windows Server 2012 R2, enable Protected Process Light for LSA.(Citation: Microsoft LSA)
Privileged Account ManagementM1026
Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers.
User TrainingM1017
Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts.
Behavior Prevention on EndpointM1040
On Windows 10, enable Attack Surface Reduction (ASR) rules to secure LSASS and prevent credential stealing. (Citation: win10_asr)
Password PoliciesM1027
Ensure that local administrator accounts have complex, unique passwords across all systems on the network.
Threat Groups (44)
| ID | Group | Context |
|---|---|---|
| G0119 | Indrik Spider | [Indrik Spider](https://attack.mitre.org/groups/G0119) used [Cobalt Strike](https://attack.mitre.org/software/S0154) to carry out credential dumping u... |
| G0049 | OilRig | [OilRig](https://attack.mitre.org/groups/G0049) has used credential dumping tools such as [Mimikatz](https://attack.mitre.org/software/S0002) to steal... |
| G0003 | Cleaver | [Cleaver](https://attack.mitre.org/groups/G0003) has been known to dump credentials using Mimikatz and Windows Credential Editor.(Citation: Cylance Cl... |
| G0077 | Leafminer | [Leafminer](https://attack.mitre.org/groups/G0077) used several tools for retrieving login and password information, including LaZagne and Mimikatz.(C... |
| G0027 | Threat Group-3390 | [Threat Group-3390](https://attack.mitre.org/groups/G0027) actors have used a modified version of [Mimikatz](https://attack.mitre.org/software/S0002) ... |
| G0006 | APT1 | [APT1](https://attack.mitre.org/groups/G0006) has been known to use credential dumping using [Mimikatz](https://attack.mitre.org/software/S0002).(Cita... |
| G0065 | Leviathan | [Leviathan](https://attack.mitre.org/groups/G0065) has used publicly available tools to dump password hashes, including ProcDump and WCE.(Citation: Fi... |
| G0061 | FIN8 | [FIN8](https://attack.mitre.org/groups/G0061) harvests credentials using Invoke-Mimikatz or Windows Credentials Editor (WCE).(Citation: FireEye Know Y... |
| G0125 | HAFNIUM | [HAFNIUM](https://attack.mitre.org/groups/G0125) has used <code>procdump</code> to dump the LSASS process memory.(Citation: Microsoft HAFNIUM March 20... |
| G0108 | Blue Mockingbird | [Blue Mockingbird](https://attack.mitre.org/groups/G0108) has used Mimikatz to retrieve credentials from LSASS memory.(Citation: RedCanary Mockingbird... |
| G1017 | Volt Typhoon | [Volt Typhoon](https://attack.mitre.org/groups/G1017) has attempted to access hashed credentials from the LSASS process memory space.(Citation: Micros... |
| G0107 | Whitefly | [Whitefly](https://attack.mitre.org/groups/G0107) has used [Mimikatz](https://attack.mitre.org/software/S0002) to obtain credentials.(Citation: Symant... |
| G0064 | APT33 | [APT33](https://attack.mitre.org/groups/G0064) has used a variety of publicly available tools like [LaZagne](https://attack.mitre.org/software/S0349),... |
| G1016 | FIN13 | [FIN13](https://attack.mitre.org/groups/G1016) has obtained memory dumps with ProcDump to parse and extract credentials from a victim's LSASS process ... |
| G0050 | APT32 | [APT32](https://attack.mitre.org/groups/G0050) used Mimikatz and customized versions of Windows Credential Dumper to harvest credentials.(Citation: Cy... |
| G1054 | MirrorFace | [MirrorFace](https://attack.mitre.org/groups/G1054) has dumped LSASS memory for credential access.(Citation: JPCERT MirrorFace JUL 2024) |
| G1055 | VOID MANTICORE | [VOID MANTICORE](https://attack.mitre.org/groups/G1055) has dumped LSASS credentials using `comsvcs.dll` via `rundll32.exe`.(Citation: Check Point VOI... |
| G0129 | Mustang Panda | [Mustang Panda](https://attack.mitre.org/groups/G0129) has harvested credentials from memory of lssas.exe with [Mimikatz](https://attack.mitre.org/sof... |
| G1030 | Agrius | [Agrius](https://attack.mitre.org/groups/G1030) used tools such as [Mimikatz](https://attack.mitre.org/software/S0002) to dump LSASS memory to capture... |
| G0093 | GALLIUM | [GALLIUM](https://attack.mitre.org/groups/G0093) used a modified version of [Mimikatz](https://attack.mitre.org/software/S0002) along with a PowerShel... |
Associated Software (26)
| ID | Name | Type | Context |
|---|---|---|---|
| S0692 | SILENTTRINITY | Tool | [SILENTTRINITY](https://attack.mitre.org/software/S0692) can create a memory dump of LSASS via the `MiniDumpWriteDump Win32` API call.(Citation: GitHu... |
| S0349 | LaZagne | Tool | [LaZagne](https://attack.mitre.org/software/S0349) can perform credential dumping from memory to obtain account and password information.(Citation: Gi... |
| S0121 | Lslsass | Tool | [Lslsass](https://attack.mitre.org/software/S0121) can dump active logon session password hashes from the lsass process.(Citation: Mandiant APT1) |
| S0681 | Lizar | Malware | [Lizar](https://attack.mitre.org/software/S0681) can run [Mimikatz](https://attack.mitre.org/software/S0002) to harvest credentials.(Citation: Threatp... |
| S0606 | Bad Rabbit | Malware | [Bad Rabbit](https://attack.mitre.org/software/S0606) has used [Mimikatz](https://attack.mitre.org/software/S0002) to harvest credentials from the vic... |
| S0046 | CozyCar | Malware | [CozyCar](https://attack.mitre.org/software/S0046) has executed [Mimikatz](https://attack.mitre.org/software/S0002) to harvest stored credentials from... |
| S0357 | Impacket | Tool | SecretsDump and [Mimikatz](https://attack.mitre.org/software/S0002) modules within [Impacket](https://attack.mitre.org/software/S0357) can perform cre... |
| S0368 | NotPetya | Malware | [NotPetya](https://attack.mitre.org/software/S0368) contains a modified version of [Mimikatz](https://attack.mitre.org/software/S0002) to help gather ... |
| S0192 | Pupy | Tool | [Pupy](https://attack.mitre.org/software/S0192) can execute Lazagne as well as [Mimikatz](https://attack.mitre.org/software/S0002) using PowerShell.(C... |
| S0154 | Cobalt Strike | Malware | [Cobalt Strike](https://attack.mitre.org/software/S0154) can spawn a job to inject into LSASS memory and dump password hashes.(Citation: Cobalt Strike... |
| S0378 | PoshC2 | Tool | [PoshC2](https://attack.mitre.org/software/S0378) contains an implementation of [Mimikatz](https://attack.mitre.org/software/S0002) to gather credenti... |
| S0005 | Windows Credential Editor | Tool | [Windows Credential Editor](https://attack.mitre.org/software/S0005) can dump credentials.(Citation: Amplia WCE) |
| S0428 | PoetRAT | Malware | [PoetRAT](https://attack.mitre.org/software/S0428) used voStro.exe, a compiled pypykatz (Python version of [Mimikatz](https://attack.mitre.org/softwar... |
| S0367 | Emotet | Malware | [Emotet](https://attack.mitre.org/software/S0367) has been observed dropping and executing password grabber modules including [Mimikatz](https://attac... |
| S0056 | Net Crawler | Malware | [Net Crawler](https://attack.mitre.org/software/S0056) uses credential dumpers such as [Mimikatz](https://attack.mitre.org/software/S0002) and [Window... |
| S1242 | Qilin | Malware | [Qilin](https://attack.mitre.org/software/S1242) can employ an embedded [Mimikatz](https://attack.mitre.org/software/S0002) module to dump LSASS memor... |
| S0583 | Pysa | Malware | [Pysa](https://attack.mitre.org/software/S0583) can perform OS credential dumping using [Mimikatz](https://attack.mitre.org/software/S0002).(Citation:... |
| S0002 | Mimikatz | Tool | [Mimikatz](https://attack.mitre.org/software/S0002) performs credential dumping to obtain account and password information useful in gaining access to... |
| S0363 | Empire | Tool | [Empire](https://attack.mitre.org/software/S0363) contains an implementation of [Mimikatz](https://attack.mitre.org/software/S0002) to gather credenti... |
| S0187 | Daserf | Malware | [Daserf](https://attack.mitre.org/software/S0187) leverages [Mimikatz](https://attack.mitre.org/software/S0002) and [Windows Credential Editor](https:... |
Related CWE Weaknesses
References
- French, D. (2018, October 2). Detecting Attempts to Steal Passwords from Memory. Retrieved October 11, 2019.
- Gilboa, A. (2021, February 16). LSASS Memory Dumps are Stealthier than Ever Before - Part 2. Retrieved December 27, 2023.
- Graeber, M. (2014, October). Analysis of Malicious Security Support Provider DLLs. Retrieved March 1, 2017.
- Gruzweig, J. et al. (2021, March 2). Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities. Retrieved March 3, 2021.
- PowerSploit. (n.d.). Retrieved December 4, 2014.
- Symantec. (2021, June 10). Attacks Against the Government Sector. Retrieved September 28, 2021.
- Wilson, B. (2016, April 18). The Importance of KB2871997 and KB2928120 for Credential Protection. Retrieved April 11, 2018.
Frequently Asked Questions
What is T1003.001 (LSASS Memory)?
T1003.001 is a MITRE ATT&CK technique named 'LSASS Memory'. It belongs to the Credential Access tactic(s). Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a va...
How can T1003.001 be detected?
Detection of T1003.001 (LSASS Memory) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1003.001?
There are 7 documented mitigations for T1003.001. Key mitigations include: Operating System Configuration, Credential Access Protection, Privileged Process Integrity, Privileged Account Management, User Training.
Which threat groups use T1003.001?
Known threat groups using T1003.001 include: Indrik Spider, OilRig, Cleaver, Leafminer, Threat Group-3390, APT1, Leviathan, FIN8.