Explanation

A good resource from Microsoft covering this tactic. The Local Security Authority Subsystem Service (LSASS) is a critical component of the Windows operating system. It is responsible for authenticating users, managing security policies, and maintaining user credentials. LSASS credential dumping attacks are a type of cyberattack that targets the LSASS process to extract sensitive information such as passwords, hashes, and other authentication credentials.

Attack

These attacks are from Atomic Red Team

ProcDump

ProcDump is a Sysinternals tool released by Microsoft which is a utility whose main purpose is to monitor an application for CPU spikes and generating crash dumps. It can also be used as a general process dump utility, like with this attack. To perform this attack, download ProcDump from this link and run this command:
procdump.exe -accepteula -ma lsass.exe [Dump_Location]

comsvcs.dll

This built-in dll can be used to dump the LSASS memory. When the command completes there will be a new file $env:TEMP\lsass-comsvcs.dmp. Run this command with PowerShell and elevated privileges:
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full

Dumpert

This method uses direct system calls and API unhooking, dumpert

Defend

Detecting LSASS credential dumping attacks can be challenging as attackers can use a variety of methods to carry out the attack. However, there are some indicators of compromise (IOCs) that can help detect LSASS credential dumping attacks. Microsoft has a blog post on detecting and preventing LSASS credential dumping.

Detecting

To detect LSASS credential dumping attacks, organizations can use a combination of network monitoring, endpoint detection and response (EDR) tools, and security information and event management (SIEM) systems.

• Suspicious processes or services running on the system
• Unusual network traffic or connections to external systems
• Large amounts of data being transferred to external systems
• System logs that show suspicious activity or failed authentication attempts

Preventing

Preventing LSASS credential dumping attacks requires a combination of proactive security measures and best practices. Here are some steps that organizations can take to prevent LSASS credential dumping attacks:

• Keep the operating system and security software up to date with the latest security patches.
• Limit user privileges to reduce the attack surface.
• Use endpoint detection and response (EDR) tools that can detect malicious activity and block unauthorized access to the LSASS process.
• Use multifactor authentication (MFA) to reduce the risk of credential theft.
• Monitor and analyze network traffic to detect unusual activity.
• Use anti-malware and intrusion detection and prevention (IDP) software to prevent malware infections

Return to Credential Access