LSASS Memory

The Local Security Authority Subsystem Service (LSASS) is a fundamental component of the Windows operating system. It is responsible for enforcing security policies, handling user authentication, managing password changes, and creating access tokens. LSASS stores sensitive information, including user credentials, which makes it a prime target for attackers seeking unauthorized access to a system. This critical service plays a pivotal role in maintaining the security and integrity of Windows environments.

Credential Storage in LSASS

When a user logs onto a Windows system, various credential materials are generated and stored in the memory of the LSASS process. These credentials include domain passwords, smart card PINs, NTLM hashes, Kerberos tickets, certificate private keys, and cached credentials. These stored credentials are essential for seamless authentication processes and secure access to network resources. Windows Security Support Provider (SSP) DLLs are loaded into the LSASS process during system startup, providing additional authentication capabilities and accessing both encrypted and plaintext passwords. The configuration of these SSPs is stored in two primary registry keys: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages and HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages. Adversaries may modify these registry keys to load new SSPs that will be executed on system startup or when specific API functions are called.

Techniques

Memory Dumping is a prevalent method used by attackers to extract credentials from LSASS. Tools such as ProcDump, Task Manager, and comsvcs.dll are commonly employed to create memory dumps of the LSASS process. These memory dumps can then be analyzed offline to extract sensitive credential information. This technique leverages legitimate tools to perform malicious activities, often evading initial detection by appearing as normal administrative actions.

Direct Memory Access involves using tools like Mimikatz to directly read the LSASS memory and extract credential materials. Mimikatz is particularly notorious for its ability to retrieve plaintext passwords, NTLM hashes, and Kerberos tickets from LSASS memory. This method is effective and widely used but can be detected by modern security solutions that monitor for specific Mimikatz signatures and behaviors.

Process Injection is another sophisticated technique where malicious code is injected directly into the LSASS process. By doing so, attackers can access the memory and extract credentials without creating external dump files, making detection more challenging. Injected code can run with the same privileges as the LSASS process, enabling it to perform sensitive operations.

Remote Access methods involve using remote administrative tools to access and dump LSASS memory on a compromised machine. Attackers may leverage remote desktop protocols, PowerShell remoting, or other administrative interfaces to perform these actions. Remote access tools can be configured to run stealthily, avoiding detection by mimicking legitimate administrative activities.

Detection Strategies

Process Monitoring is crucial for detecting LSASS memory attacks. Sysmon Event ID 1 captures process creation events, which can be monitored for the execution of tools commonly used to dump LSASS memory, such as procdump.exe, taskmgr.exe, comsvcs.dll, and mimikatz.exe. Specific detection indicators include:

  • Sysmon Event ID 1: Monitor for process creation events where the process name matches known tools:

    • Image: C:\Windows\System32\procdump.exe

    • Image: C:\Windows\System32\taskmgr.exe

    • Image: C:\Windows\System32\comsvcs.dll

    • Image: C:\Windows\System32\mimikatz.exe

Additionally, monitoring Windows Security Event ID 4688 enables detailed command-line logging to capture arguments passed to processes involved in LSASS memory attacks. This helps in identifying suspicious command-line patterns indicative of memory dumping activities. Specific detection indicators include:

  • Windows Security Event ID 4688: Capture command-line arguments such as:

    • procdump.exe -ma lsass.exe

    • taskmgr.exe /min /dump lsass.exe

    • rundll32.exe comsvcs.dll, MiniDump <PID> <DumpFile> full

    • mimikatz.exe "privilege::debug" "log" "sekurlsa::logonpasswords full"

Memory Access Monitoring involves capturing events where processes attempt to access LSASS memory. Sysmon Event ID 10 captures process access events, while Windows Security Event ID 4656 monitors handle requests to LSASS with access rights that allow reading or dumping its memory. Identifying processes that request such handles and analyzing their context and behavior is essential for detecting unauthorized access attempts. Specific detection indicators include:

  • Sysmon Event ID 10: Monitor for process access events where the target image is LSASS:

    • TargetImage: C:\Windows\System32\lsass.exe

    • GrantedAccess: 0x1410 (PROCESS_VM_READ)

    • GrantedAccess: 0x1438 (PROCESS_VM_READ | PROCESS_VM_OPERATION | PROCESS_VM_WRITE)

  • Windows Security Event ID 4656: Monitor for handle requests to LSASS:

    • ObjectType: Process

    • ObjectName: \Device\HarddiskVolume*\Windows\System32\lsass.exe

    • AccessMask: 0x1410 (PROCESS_VM_READ)

    • AccessMask: 0x1438 (PROCESS_VM_READ | PROCESS_VM_OPERATION | PROCESS_VM_WRITE)

Command-Line Analysis focuses on monitoring for command lines indicative of LSASS memory dumping. Suspicious command lines, particularly those using tools like procdump, mimikatz, or taskmgr, are key indicators of malicious activities. Detecting obfuscation techniques used in command lines, such as encoded commands or concatenation of strings that hide the true nature of the command, is also important. Specific detection indicators include:

  • Suspicious Command Lines:

    • procdump.exe -ma lsass.exe

    • mimikatz.exe "privilege::debug" "log" "sekurlsa::logonpasswords full"

    • rundll32.exe comsvcs.dll, MiniDump <PID> <DumpFile> full

    • taskmgr.exe /min /dump lsass.exe

  • Obfuscation Indicators:

    • procdump*lsass.exe (using wildcard or partial obfuscation)

    • mimikatz*sekurlsa::logonpasswords*full (using partial obfuscation)

Behavioral Analysis involves establishing a baseline of normal process behavior within the environment to detect deviations. Monitoring for unusual activities, such as administrative tools accessing LSASS from non-administrative accounts or during off-hours, is crucial. Frequency analysis helps identify rare or unusual process executions related to LSASS access, while detecting processes with suspicious memory access patterns, such as high-frequency handle requests or accessing LSASS memory without legitimate need, is vital. Specific detection indicators include:

  • Baseline Deviations:

    • Administrative tools accessing LSASS from non-administrative accounts.

    • LSASS memory access during off-hours or unusual times.

  • Frequency Analysis:

    • Spikes in process activity related to LSASS access.

    • High-frequency handle requests to LSASS memory.

  • Suspicious Memory Access Patterns:

    • Processes accessing LSASS memory without legitimate need.

    • Processes making high-frequency read/write requests to LSASS memory.

Network Monitoring is essential for detecting unusual network connections initiated by processes accessing LSASS. Outbound connections to remote servers, particularly those associated with data exfiltration attempts, should be closely monitored. Sysmon Event ID 3 captures network connection events, allowing correlation with process activity accessing LSASS memory. Specific detection indicators include:

  • Sysmon Event ID 3: Monitor for network connection events associated with processes accessing LSASS:

    • Image: C:\Windows\System32\lsass.exe

    • DestinationIp: <Suspicious IP>

    • DestinationPort: <Suspicious Port>

  • Unusual Network Connections:

    • Outbound connections to remote servers immediately following LSASS access.

    • Large data transfers to external IP addresses not typically associated with regular operations.

Specific Detection Analytics

Detecting the usage of specific tools like ProcDump involves monitoring for the execution of procdump.exe with command lines targeting LSASS. Similarly, detecting Mimikatz usage requires monitoring for the execution of mimikatz.exe and its specific commands targeting LSASS. Direct access to LSASS memory can be identified by monitoring processes using Sysmon Event ID 10 or Windows Security Event ID 4656. Additionally, detecting remote administrative tools accessing and dumping LSASS memory is crucial for identifying remote access attacks. Specific detection indicators include:

  • Procdump Usage:

    • Execution of procdump.exe with arguments targeting LSASS memory.

    • Command lines such as procdump.exe -ma lsass.exe.

  • Mimikatz Usage:

    • Execution of mimikatz.exe with arguments targeting LSASS memory.

    • Specific commands like privilege::debug, sekurlsa::logonpasswords full.

  • Direct LSASS Access:

    • Processes attempting to access LSASS memory captured by Sysmon Event ID 10.

    • Handle requests to LSASS memory identified by Windows Security Event ID 4656.

  • Remote Access Tools:

    • Execution of remote administrative tools accessing LSASS memory.

    • Network connections and data transfers associated with remote LSASS memory dumps.

Mitigation Strategies

Credential Guard is a powerful feature that leverages virtualization-based security to isolate and protect LSASS memory from unauthorized access. By using the Windows Hypervisor, Credential Guard creates a secure execution environment, preventing malicious code from accessing LSASS memory. Implementing Credential Guard significantly enhances the security of credential storage in LSASS.

LSASS Protection (RunAsPPL) involves enabling the RunAsPPL setting for LSASS, which prevents non-protected processes from accessing its memory. This can be configured through Group Policy or directly in the registry. When LSASS is run as a protected process, only trusted, signed code can interact with it, thereby reducing the risk of unauthorized access.

Least Privilege Principle ensures that users and applications operate with the minimum privileges necessary to perform their tasks. Limiting the privileges of users and services reduces the risk of credential theft by restricting access to sensitive systems and data. Administrative accounts should be used sparingly and only when absolutely necessary.

Regular Audits and Updates are crucial for maintaining a secure environment. Conducting regular security audits helps identify vulnerabilities and weaknesses, while timely application of patches and updates addresses known vulnerabilities that could be exploited by attackers. Regularly reviewing and updating security policies and configurations further strengthens defenses.

Application Whitelisting involves ensuring that only approved applications and processes can run on the system. By preventing the execution of unauthorized tools and scripts, application whitelisting helps mitigate the risk of LSASS memory dumping attacks.

Memory Protection techniques such as Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) make it more difficult for attackers to exploit vulnerabilities in the LSASS process. These techniques enhance the security of the operating system and reduce the risk of successful memory-based attacks.

Network Segmentation segregates the network to limit the spread of an attack. Isolating sensitive systems and data ensures that even if an attacker gains access to one part of the network, they cannot easily move laterally to other critical resources. Implementing strong network segmentation policies and practices is essential for protecting against credential theft and other network-based attacks.

PreviousBrowser CredentialsNextSecurity Account Manager

Last updated