OS Credential Dumping: LSASS Memory

Description

Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).

Products, Sensors, and Dependencies

ProductDependenciesData sourceAccess requiredProtocolData CollectedNotes
Tenable.ioAdvanced Network ScanWindows machinesAuthenticated ScanSMBCredential GuardPlugin ID: 159817
Tenable.ioAdvanced Network ScanWindows machinesAuthenticated ScanSMBInteractive loginsPlugin ID: 161502
Tenable.ioAdvanced Network ScanWindows machinesAuthenticated ScanWMIActive sessionPlugin ID: 92373

References

Microsoft Windows Logged On Users

Microsoft Windows SMB Sessions

Windows Credential Guard Status

Attack Path Technique Details

Framework: MITRE ATT&CK

Family: Credential Access

Sub-Technique: LSASS Memory

Platform: Windows

Products Required: Tenable.io

Tenable Release Date: 2022 Q2