MITRE

MITRE Technique [T1003.001] OS Credential Dumping: LSASS Memory

MITRE

[T1003.001 ] OS Credential Dumping: LSASS Memory – Attackers harvest credentials from the LSASS process memory to obtain plaintext and encrypted authentication material for lateral movement and persistence. Monitoring process interactions, command lines, and unusual memory-dump activity helps detect and block these actions. #LSASS #CredentialDumping

Keypoints

  • LSASS stores credential material in process memory after user logon.
  • Adversaries dump LSASS memory using tools like procdump or rundll32 with comsvcs.dll.
  • Mimikatz and similar tools extract plaintext credentials from LSASS dumps locally.
  • Attackers can add or modify SSP DLLs via Registry keys to capture credentials at boot.
  • Detection requires monitoring process access, process creation, command lines, and Registry changes.

Description:

  • Like a thief rifling through a wallet left open on a table, adversaries search LSASS process memory to pull out user passwords and tokens stored after logon.
  • This technique reads or dumps LSASS memory to retrieve credentials (plaintext, hashes, tokens), enabling lateral movement, privilege escalation, and persistent access across a Windows environment.

Detection:

  • Log and alert on any process opening or calling NtOpenProcess/NtReadVirtualMemory on lsass.exe using EDR or Sysmon Process Access events.
  • Monitor process creation and command-line logging for procdump, rundll32 comsvcs.dll MiniDump, and known credential-dumping tool invocations.
  • Collect Windows Event Logs and Sysmon events for suspicious rundll32, werfault, or unexpected wer-related dumps indicating silent process exit abuse.
  • Watch for modifications to HKLMSYSTEMCurrentControlSetControlLsaSecurity Packages and OSConfigSecurity Packages registry keys and alert on new or unexpected SSP DLL entries.
  • Capture and inspect memory-dump files and exfil attempts by monitoring file creation in system directories and outbound network transfers to detect local analysis or data staging.
  • Enable advanced PowerShell logging (ScriptBlock/ConstrainedLanguage/ModuleLogging) and process command-line auditing to detect Invoke-Mimikatz or PowerSploit modules running.
  • Be aware of false positives from legitimate crash dumps and admin diagnostic tools; tune alerts by whitelisting approved management tools and enforcing code signing and behavior baselines.

Tactics:
Credential Access

Platforms:
Windows

Data Sources:
Command: Command Execution, File: File Creation, Logon Session: Logon Session Creation, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Modification

Relationship Citations:
(Citation: Amplia WCE),(Citation: Microsoft Moonstone Sleet 2024),(Citation: FireEye APT41 Aug 2019),(Citation: NCSC Joint Report Public Tools),(Citation: ESET Okrum July 2019),(Citation: group-ib_redcurl1),(Citation: Sygnia Elephant Beetle Jan 2022),(Citation: Threatpost Lizar May 2021),(Citation: GitHub PoshC2),(Citation: FireEye APT33 Guardrail),(Citation: TrendMicro EarthLusca 2022),(Citation: Unit 42 MuddyWater Nov 2017),(Citation: CERT-FR PYSA April 2020),(Citation: ESET Bad Rabbit),(Citation: PowerSploit Documentation),(Citation: DFIR Report APT35 ProxyShell March 2022),(Citation: NCC Group APT15 Alive and Strong),(Citation: apt41_dcsocytec_dec2022),(Citation: US-CERT NotPetya 2017),(Citation: CISA AA20-259A Iran-Based Actor September 2020),(Citation: FireEye APT39 Jan 2019),(Citation: Group IB APT 41 June 2021),(Citation: KISA Operation Muzabi),(Citation: Mandiant APT1),(Citation: Cobalt Strike Manual 4.3 November 2020),(Citation: FireEye APT35 2018),(Citation: Microsoft Volt Typhoon May 2023),(Citation: Directory Services Internals DPAPI Backup Keys Oct 2015),(Citation: Symantec Tick Apr 2016),(Citation: Github PowerShell Empire),(Citation: Symantec Buckeye),(Citation: Mandiant FIN12 Oct 2021),(Citation: Cybereason Sliver Undated),(Citation: GitHub Pupy),(Citation: Microsoft HAFNIUM March 2020),(Citation: Talos Nyetya June 2017),(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024),(Citation: Trend Micro Muddy Water March 2021),(Citation: FireEye APT34 Webinar Dec 2017),(Citation: Deply Mimikatz),(Citation: Trend Micro Emotet Jan 2019),(Citation: Cylance Cleaver),(Citation: RedCanary Mockingbird May 2020),(Citation: Cybereason Cobalt Kitty 2017),(Citation: FoxIT Wocao December 2019),(Citation: Mandiant Operation Ke3chang November 2014),(Citation: FireEye TRITON 2019),(Citation: F-Secure CozyDuke),(Citation: Microsoft GALLIUM December 2019),(Citation: CISA AA20-301A Kimsuky),(Citation: Talos Olympic Destroyer 2018),(Citation: Group IB Silence Sept 2018),(Citation: ESET GreyEnergy Oct 2018),(Citation: FireEye Know Your Enemy FIN8 Aug 2016),(Citation: Talos PoetRAT April 2020),(Citation: Volexity Exchange Marauder March 2021),(Citation: FireEye APT40 March 2019),(Citation: GitHub Mimikatz lsadump Module),(Citation: Symantec Whitefly March 2019),(Citation: Secureworks BRONZE BUTLER Oct 2017),(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021),(Citation: CISA GRU29155 2024),(Citation: Symantec Leafminer July 2018),(Citation: Symantec MuddyWater Dec 2018),(Citation: Symantec WastedLocker June 2020),(Citation: emotet_hc3_nov2023),(Citation: Microsoft Iranian Threat Actor Trends November 2021),(Citation: Symantec Elfin Mar 2019),(Citation: Dell TG-3390),(Citation: DFIR Phosphorus November 2021),(Citation: GitHub SILENTTRINITY Modules July 2019),(Citation: Unit42 Agrius 2023),(Citation: GitHub PowerSploit May 2012),(Citation: FireEye FIN6 Apr 2019),(Citation: FireEye TRITON 2018),(Citation: Dragos Crashoverride 2018),(Citation: Mandiant Pulse Secure Update May 2021),(Citation: Volexity Ivanti Zero-Day Exploitation January 2024),(Citation: BiZone Lizar May 2021),(Citation: group-ib_redcurl2),(Citation: Mandiant FIN13 Aug 2022),(Citation: FireEye APT34 July 2019),(Citation: DOJ GRU Indictment Jul 2018),(Citation: Microsoft NICKEL December 2021),(Citation: ESET Sednit Part 2),(Citation: Microsoft PLATINUM April 2016),(Citation: Trend Micro Ransomware Spotlight Play July 2023),(Citation: Cybereason Oceanlotus May 2017),(Citation: SecureWorks BRONZE UNION June 2017),(Citation: CrowdStrike AQUATIC PANDA December 2021),(Citation: Cadet Blizzard emerges as novel threat actor),(Citation: FireEye FIN6 April 2016),(Citation: Unit42 OilRig Playbook 2023),(Citation: Cybereason Soft Cell June 2019),(Citation: Impacket Tools),(Citation: ESET Telebots Dec 2016),(Citation: SentinelLabs Metador Technical Appendix Sept 2022),(Citation: Microsoft Prestige ransomware October 2022),(Citation: Rapid7 HAFNIUM Mar 2021),(Citation: CISA Iran Albanian Attacks September 2022),(Citation: ESET Telebots June 2017),(Citation: Netscout Stolen Pencil Dec 2018),(Citation: GitHub LaZagne Dec 2018),(Citation: win10_asr),(Citation: Microsoft Disable NTLM Nov 2012),(Citation: Microsoft LSA),(Citation: GitHub SHB Credential Guard),(Citation: TechNet Credential Guard),(Citation: Microsoft WDigest Mit)

Read More: https://attack.mitre.org/techniques/T1003/001

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint