T1003.001 - LSASS Memory
Sub-technique
Tattiche:
Credential Access
Credential Access
Piattaforme:
Windows
Windows
Rilevamento:
Not specified
Not specified
Description:
Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct [Lateral Movement](https://attack.mitre.org/tactics/TA0008) using [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550).
As well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.
For example, on the target host use procdump:
* <code>procdump -ma lsass.exe lsass_dump</code>
Locally, mimikatz can be run using:
* <code>sekurlsa::Minidump lsassdump.dmp</code>
* <code>sekurlsa::logonPasswords</code>
Built-in Windows tools such as `comsvcs.dll` can also be used:
* <code>rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump PID lsass.dmp full</code>(Citation: Volexity Exchange Marauder March 2021)(Citation: Symantec Attacks Against Government Sector)
Similar to [Image File Execution Options Injection](https://attack.mitre.org/techniques/T1546/012), the silent process exit mechanism can be abused to create a memory dump of `lsass.exe` through Windows Error Reporting (`WerFault.exe`).(Citation: Deep Instinct LSASS)
Windows Security Support Provider (SSP) DLLs are loaded into LSASS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages</code> and <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages</code>. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014)
The following SSPs can be used to access credentials:
* Msv: Interactive logons, batch logons, and service logons are done through the MSV authentication package.
* Wdigest: The Digest Authentication protocol is designed for use with Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges.(Citation: TechNet Blogs Credential Protection)
* Kerberos: Preferred for mutual client-server domain authentication in Windows 2000 and later.
* CredSSP: Provides SSO and Network Level Authentication for Remote Desktop Services.(Citation: TechNet Blogs Credential Protection)
As well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.
For example, on the target host use procdump:
* <code>procdump -ma lsass.exe lsass_dump</code>
Locally, mimikatz can be run using:
* <code>sekurlsa::Minidump lsassdump.dmp</code>
* <code>sekurlsa::logonPasswords</code>
Built-in Windows tools such as `comsvcs.dll` can also be used:
* <code>rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump PID lsass.dmp full</code>(Citation: Volexity Exchange Marauder March 2021)(Citation: Symantec Attacks Against Government Sector)
Similar to [Image File Execution Options Injection](https://attack.mitre.org/techniques/T1546/012), the silent process exit mechanism can be abused to create a memory dump of `lsass.exe` through Windows Error Reporting (`WerFault.exe`).(Citation: Deep Instinct LSASS)
Windows Security Support Provider (SSP) DLLs are loaded into LSASS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages</code> and <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages</code>. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014)
The following SSPs can be used to access credentials:
* Msv: Interactive logons, batch logons, and service logons are done through the MSV authentication package.
* Wdigest: The Digest Authentication protocol is designed for use with Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges.(Citation: TechNet Blogs Credential Protection)
* Kerberos: Preferred for mutual client-server domain authentication in Windows 2000 and later.
* CredSSP: Provides SSO and Network Level Authentication for Remote Desktop Services.(Citation: TechNet Blogs Credential Protection)
Usato da Attori (20)
APT1
Nation-state
Nation-state
APT3
Nation-state
Nation-state
APT33
Nation-state
Nation-state
Cleaver
Nation-state
Nation-state
APT28
Nation-state
Nation-state
FIN6
Unknown
Unknown
OilRig
Nation-state
Nation-state
APT32
Nation-state
Nation-state
PLATINUM
Unknown
Unknown
FIN8
Unknown
Unknown
APT5
Unknown
Unknown
Kimsuky
Nation-state
Nation-state
MuddyWater
Nation-state
Nation-state
MUSTANG PANDA
Nation-state
Nation-state
INDRIK SPIDER
Unknown
Unknown
WIZARD SPIDER
Nation-state
Nation-state
APT39
Unknown
Unknown
Whitefly
Unknown
Unknown
APT41
Nation-state
Nation-state
GALLIUM
Unknown
Unknown
Malware (20)
Bad Rabbit other
GreyEnergy other
Emotet other
Olympic Destroyer other
Mafalda other
Okrum other
NotPetya other
Pysa other
Cobalt Strike other
Daserf other
PoetRAT other
Qilin other
CozyCar other
Lizar other
Net Crawler other
Sliver tool
SILENTTRINITY tool
PowerSploit tool
Windows Credential Editor tool
Impacket tool
Metadata
| MITRE ID: | T1003.001 |
| STIX ID: | attack-pattern--65f2d882-3f41-... |
| Piattaforme: | Windows |
| Created: | 13/01/2026 17:48 |
| Updated: | 06/03/2026 16:00 |