Credential Dumping: LSASS Memory Dump Detection

What is LSA/LSASS?

LSA (Local Security Authority) is a component of Windows that enforces security policies on a system, managing user logins and maintaining information about all aspects of the system’s security, including logins, authentication and privileges.

LSASS (Local Security Authority Subsystem Service), represented by the process lsass.exe, is the part of LSA that actually runs on the system to enforce these security policies. It is responsible for authenticating users and storing sensitive information such as password hashes and Kerberos tickets in its memory during active sessions. Because LSASS stores credentials and session tokens, it is a common target in attacks aimed at credential theft.

Various Methods for Extracting LSASS Memory

Various techniques, such as using ProcDump, PowerSploit or Mimikatz, enable attackers to extract NTLM hashes from system memory, risking unauthorized access. This article covers each method in detail, including detection techniques and false positive chances.

1. Using ProcDump (Windows Native Utility)

ProcDump is a legitimate Windows utility commonly used for creating process memory dumps. Attackers use it to avoid detection while capturing sensitive data from LSASS memory.

Example Command:

procdump.exe -accepteula -ma lsass.exe lsass.dmp

Detection Query:

• SIEM: event_id:4688 AND process_name:"procdump.exe" AND command_line:"lsass.exe"
• EDR: command_line contains "procdump.exe" AND command_line contains "lsass.exe"

False Positive Chances:

• Medium - Windows administrators can use ProcDump to create an LSASS memory dump for debugging purposes.

2. Using comsvcs.dll (Windows Native DLL)

Attackers can use the comsvcs.dll library to directly dump LSASS memory. This is often seen as a less conspicuous method because it’s a native Windows DLL.

Example Command:

rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id <Path\to\dump> full

Detection Query:

• SIEM: event_id:4688 AND process_name:"rundll32.exe" AND command_line:"comsvcs.dll" AND command_line:"minidump"
• EDR: process_name contains "rundll32.exe" AND command_line contains "comsvcs.dll, minidump"

False Positive Chances:

• Low - rundll32.exe is a legitimate Windows utility and it's abuse with comsvcs.dll is unusual.

3. Using PowerSploit MiniDump

PowerSploit’s MiniDump function allows attackers to dump LSASS memory through PowerShell. This method can evade detection if PowerShell script-block logging is not enabled. The attacker uses PowerShell to dump LSASS memory with Out-MiniDump.

Example Command:

Get-Process lsass | Out-MiniDump

Detection Query:

• SIEM: event_id:4104 AND process_name:"powershell.exe" AND command_line:"Out-MiniDump" (NOTE: PowerShell event logging must be enabled)
• EDR: process_name contains "powershell.exe" AND command_line contains "Out-MiniDump"

False Positive Chances:

• Low - Usage of Out-MiniDump is very unusual.

4. Using SekurLSA (Mimikatz)

Mimikatz is a tool commonly used for credential dumping. It can dump LSASS memory, extract NTLM hashes, and perform pass-the-hash attacks.

Example Command:

sekurlsa::Minidump lsass.dmp
sekurlsa::logonPasswords
sekurlsa::pth

Detection Query:

• EDR: process_name contains "mimikatz.exe" OR command_line contains "sekurlsa::"

False Positive Chances:

• Very Low - Almost exclusively used for malicious purposes.

5. Using Windows Credential Editor (WCE)

WCE is another utility capable of extracting live NTLM hashes from a machine.

Example Command:

wce64.exe
wce32.exe

Detection Query:

• EDR: process_name contains "wce64.exe" OR process_name contains "wce32.exe" OR process_name contains "wce.exe"

False Positive Chances:

• Very Low - Uncommon in legitimate operations.