Detections
Analytics

OS Credential Dumping: LSASS Memory

critical

Language:

Description

After a user logs on, attackers can attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).

See Also

MITRE ATT&CK description

ADsecurity.org - Extract Hashes from LSASS

Microsoft - Using ProcDump

Indicator Details

Name: OS Credential Dumping: LSASS Memory

Codename: I-ProcessInjectionLsass

Severity: Critical

Type: Indicator of Attack

MITRE ATT&CK Information:
ID: T1003.001
Sub-technique of: T1003
Tactic: TA0006