Movement - April 2025

 

Movement - April 19th

 

LSASS Credential Dumping: Techniques, Detection, and Mitigation in the Wild

 

1. Introduction: The Criticality of LSASS and Credential Dumping

The Local Security Authority Subsystem Service (LSASS) stands as a cornerstone of the Microsoft Windows operating system, playing a vital role in enforcing the security policies of the system. This core process is responsible for managing user authentication, which includes verifying login credentials and handling password modifications.1 Furthermore, LSASS oversees the generation of access tokens that enable users and services to access system resources, effectively acting as the gatekeeper for accessing the computer.1 After a user successfully logs on, LSASS stores sensitive information within its memory, including encrypted passwords, NT hashes, LM hashes, and Kerberos tickets.1 This makes it an exceptionally valuable target for malicious actors seeking to compromise systems and networks.

Credential dumping is the process by which attackers attempt to extract these stored credentials from the memory of the LSASS process.5 This technique is not merely an end in itself; rather, it represents a critical step in an attacker's progression towards achieving broader malicious objectives. Successful credential dumping often allows attackers to escalate their privileges within a compromised system or network, move laterally to other systems, exfiltrate sensitive data, establish persistent access, and in many cases, deploy ransomware across an organization.1 The ability to obtain valid credentials circumvents the need for complex exploitation in subsequent stages of an attack, making credential dumping a highly effective and frequently employed tactic in the cyber threat landscape.

The fundamental design of operating systems, which necessitates storing credentials in memory for efficient authentication, inadvertently creates an inherent vulnerability that attackers are constantly striving to exploit. Operating systems are engineered to verify user identities swiftly and repeatedly. The practice of storing credentials in memory facilitates faster authentication processes compared to the more time-consuming retrieval from disk each time a user or service needs to be validated. However, this optimization for usability introduces a significant security risk: if an attacker manages to gain access to the system's memory, these readily available credentials become prime targets for theft. This trade-off between operational efficiency and security is a recurring challenge in the field of cybersecurity, and the targeting of LSASS memory exemplifies this tension.

Furthermore, the evolution of attacker techniques in the realm of credential dumping reveals a strategic shift from the reliance on custom, easily identifiable tools towards the exploitation of "Living-off-the-land" binaries (LOLBins).6 Early credential dumping attacks were often characterized by the use of specific tools like Mimikatz, which, due to their widespread use in malicious campaigns, have become well-known to security solutions and are thus more readily detected. In response, attackers have adapted their methodologies by increasingly leveraging legitimate system binaries that are native to the operating system or commonly found within enterprise environments. These LOLBins are less likely to be flagged as malicious by traditional signature-based security solutions because they are often digitally signed by Microsoft or other trusted vendors and are used for legitimate administrative purposes. This shift towards using LOLBins necessitates a corresponding evolution in security solutions, with a greater emphasis on behavioral-based detection capabilities that can identify malicious intent regardless of the legitimacy of the underlying tool being employed.

2. Understanding Attacker Objectives and the Value of LSASS Credentials

Attackers target LSASS credentials for a multitude of strategic reasons, all ultimately aimed at achieving their objectives within a compromised environment.1 One of the primary motivations is to facilitate lateral movement across a network. Stolen credentials, particularly those belonging to domain administrator accounts, provide attackers with the necessary authorization to access other systems within the compromised network.1 Once in possession of these credentials, attackers can leverage legitimate administrative tools such as PsExec or Windows Management Instrumentation (WMI) to remotely execute commands and access resources on other machines, effectively expanding their foothold within the infrastructure.6 The ability to utilize existing administrative tools with compromised credentials makes it significantly more challenging for security teams to differentiate between malicious activity and legitimate administrative tasks. For instance, if an attacker uses a domain administrator's credentials in conjunction with PsExec, the resulting activity will appear as an authentic remote execution originating from that administrator's account. This underscores the critical importance of not only monitoring for specific actions but also meticulously analyzing the context of those actions, including the source and user account involved.

Another key objective is privilege escalation. Attackers frequently gain initial access to a system with lower-privileged user accounts. Once a foothold is established, they often turn their attention to dumping LSASS credentials in an attempt to obtain credentials with higher levels of access.1 The ultimate goal is often to achieve domain dominance, granting them control over the entire Active Directory environment. Even local administrator credentials obtained from LSASS can be highly valuable, as they can provide access to sensitive data stored on the local machine or serve as a stepping stone to pivoting to other systems within the network.10

Stolen credentials also pave the way for data exfiltration. With elevated privileges acquired through compromised credentials, attackers can gain access to sensitive information stored on various systems and network shares. This data can then be exfiltrated from the organization, potentially for financial gain, espionage, or other malicious purposes.1 Furthermore, obtaining domain credentials allows attackers to establish persistence within the compromised network.1 Even if their initial entry point is discovered and remediated by security teams, valid domain credentials enable them to maintain long-term, unauthorized access to the infrastructure, potentially allowing them to re-establish their presence at a later time. In the context of ransomware deployment, credential theft often serves as a crucial precursor.6 Attackers frequently leverage stolen credentials to gain widespread access across an organization's network, enabling them to deploy ransomware to a large number of systems simultaneously, maximizing the impact and increasing the likelihood of a ransom payment.

The LSASS process is a particularly valuable target for attackers due to the sheer volume and sensitivity of the information it stores in memory.1 This includes the credentials of the currently logged-on user, which can often be leveraged for immediate lateral movement or privilege escalation. Moreover, LSASS may also contain cached credentials of other users who have recently logged onto the system, including potentially domain administrator accounts. The interconnected nature of modern networks amplifies the risk associated with LSASS compromise. Successfully dumping LSASS credentials from a single endpoint can have cascading effects, potentially leading to a complete network takeover. In a typical domain environment, user credentials often grant access to a multitude of resources and systems. Once an attacker obtains valid domain credentials from LSASS on just one machine, they can potentially access file shares, databases, other workstations, and even domain controllers, significantly escalating the impact of the initial compromise. This interconnectedness underscores the critical need for robust defenses against LSASS credential dumping across all endpoints within an organization's network.

3. Techniques and Tools Used for LSASS Credential Dumping in the Wild

Attackers employ a diverse range of techniques and tools to dump credentials from the LSASS process, often adapting their methods to evade detection by security solutions. These techniques can broadly be categorized into the use of Living-off-the-Land Binaries (LOLBins) and dedicated hacking tools.1

3.1. Living-off-the-Land Binaries (LOLBins)

LOLBins are legitimate, often digitally signed, binaries that are either already present on the target system or can be easily downloaded. Attackers misuse these tools for malicious activities, such as LSASS credential dumping, to blend in with normal system operations and evade detection.1

One commonly used set of LOLBins involves rundll32.exe and comsvcs.dll.1 Attackers leverage the rundll32.exe utility to execute the MiniDump function, which is exported by the comsvcs.dll library.4 The MiniDump function is a legitimate Windows function designed for creating memory dumps of specified processes, primarily for debugging purposes. Attackers abuse this functionality by providing the process ID (PID) of LSASS as an argument to the MiniDump function, along with an output path where the memory dump file will be saved.11 Notably, threat actors like Storm-0270 have been observed employing this technique and even reversing the filename of the dump file (e.g., saving it as ssasl.dmp instead of the more obvious lsass.dmp) in an attempt to further evade detection.8 The reliance on a built-in Windows DLL like comsvcs.dll makes this technique particularly stealthy as it avoids the use of external, potentially suspicious executables. comsvcs.dll is a legitimate system file integral to COM+ services, and its presence and execution are commonplace within a Windows environment. Attackers exploit its intended debugging capabilities to dump LSASS memory, making detection based solely on the executed binary a significant challenge.

Another frequently employed LOLBin is procdump.exe.1 This command-line tool, originally developed by Sysinternals and now part of Microsoft, is designed to create memory dumps of running processes.3 Attackers commonly utilize the -ma command-line option with procdump.exe to create a full memory dump of the LSASS process.4 The resulting dump file can then be analyzed offline to extract sensitive credentials. It has been observed that threat actors may rename the procdump.exe executable to a different filename in an attempt to evade basic detection mechanisms that rely on monitoring for specific filenames.13 The fact that procdump.exe is a legitimate, Microsoft-signed tool presents a challenge for security solutions. Simply blocking its execution across the board would likely lead to operational disruptions, as it is often used by administrators for legitimate troubleshooting purposes. Therefore, effective detection strategies must focus on analyzing the command-line arguments used with procdump.exe, specifically looking for the -ma flag and the target process lsass.exe, as well as monitoring the behavior of the process.

The Windows Task Manager (taskmgr.exe) can also be misused by attackers with sufficient privileges to perform LSASS credential dumping.1 Through its graphical user interface, an attacker can manually create a dump file of the lsass.exe process by navigating to the "Details" tab (or "Processes" tab in older versions), right-clicking on the lsass.exe process, and selecting the "Create dump file" option.3 This action generates a memory dump file that can then be analyzed for credentials. The threat actor group Seashell Blizzard is suspected of employing the Task Manager UI for LSASS dumping as part of their BadPilot campaign.13 Due to its interactive nature, using Task Manager for dumping might be less prevalent in fully automated attacks compared to command-line tools. However, it still poses a significant risk, particularly in scenarios where an attacker has already compromised an interactive session on a target machine, such as through remote desktop access or physical access. Detection of this technique would likely involve monitoring for unusual process access to LSASS by taskmgr.exe and the subsequent creation of dump files by this process.

Other LOLBins that can be abused for LSASS dumping include Process Explorer, another powerful tool from Sysinternals that offers similar process dumping capabilities to Task Manager and procdump.exe.4 Additionally, SQLDumper.exe, a legitimate executable included with Microsoft SQL Server and Office, possesses the functionality to produce full memory dumps of processes, making it another potential candidate for malicious use in dumping LSASS memory.11

3.2. Dedicated Hacking Tools

In addition to LOLBins, attackers also utilize dedicated hacking tools and penetration testing frameworks that have built-in capabilities for LSASS credential dumping.1

Mimikatz remains one of the most notorious and widely recognized tools specifically designed for extracting credentials from Windows systems.1 This open-source tool can perform a variety of credential theft techniques, including directly dumping the memory of the LSASS process and extracting NT hashes and even plaintext passwords in certain scenarios.3 Mimikatz features a specific command, sekurlsa::logonpasswords, which automates the entire process of dumping LSASS memory, extracting the relevant credential information, and displaying the results.9 Recognizing that Mimikatz itself is often readily detected by modern security solutions, attackers may opt to use LOLBins like procdump.exe or comsvcs.dll to first dump the LSASS process memory to a file. They can then transfer this dump file to a separate system where Mimikatz's sekurlsa::minidump command can be used offline to analyze the contents and extract the account credentials without the need to execute Mimikatz directly on the compromised host.9 While the standalone Mimikatz executable is frequently flagged by antivirus and endpoint detection solutions, the core techniques it employs for accessing and parsing LSASS memory are often integrated into other penetration testing tools and even custom malware, making detection based solely on the Mimikatz signature increasingly less effective over time. Security solutions must therefore focus on detecting the underlying behaviors and API calls associated with credential theft, regardless of the specific tool being used.

Beyond Mimikatz, several other tools and frameworks are commonly leveraged by attackers for credential access, often incorporating LSASS dumping functionalities.1 These include Cobalt Strike, a popular penetration testing framework often used by advanced threat actors, which has the capability to import and customize existing code from credential theft tools like Mimikatz, allowing operators to easily access LSASS via their command and control beacons.4 Impacket is a collection of Python classes for working with network protocols, which can be used to perform various post-exploitation tasks, including credential dumping. Metasploit, another widely used penetration testing framework, includes modules for credential harvesting, some of which involve LSASS memory access.4 PowerSploit is a PowerShell-based penetration testing toolkit that contains a module called Out-MiniDump, which provides the option to create a full memory dump of a specified process, including LSASS.4 Empire is a post-exploitation framework that leverages PowerShell agents and includes modules for credential theft, such as Invoke-Mimikatz.4 Older tools like Pwdump and Dumpert are also sometimes encountered. More recently, newer tools like LSASSY and SafetyKatz have emerged, specifically designed for dumping LSASS memory, with SafetyKatz being a more up-to-date version of the well-known tool. Nanodump and DumpThatLsass represent further evolution in this space, with Nanodump specifically aiming to bypass modern security solutions by leveraging techniques like Beacon Object Files.10 The continuous development of new tools and the adaptation of existing ones underscore the ongoing dynamic between attackers and security vendors in the realm of credential theft, requiring security professionals to remain vigilant and continuously update their defenses to address the latest threats.

LOLBin Name	Functionality Used	Common Command-Line Arguments/Actions	Threat Actors Observed Using This LOLBin
rundll32.exe	Executing comsvcs.dll with MiniDump	/pid <LSASS PID> <output path> full	Storm-0270
procdump.exe	Creating process memory dumps	-accepteula -ma lsass.exe <output file>	Storm-0300, Seashell Blizzard
taskmgr.exe	Creating dump file	Right-click "Create dump file" on lsass.exe	Seashell Blizzard, Storm-0300
Process Explorer	Creating process memory dumps	Right-click "Create Dump" on lsass.exe	Storm-0300
SQLDumper.exe	Producing full memory dumps	<LSASS PID>	Unknown

4. Detection and Prevention by Microsoft Defender for Endpoint

Microsoft Defender for Endpoint offers a comprehensive suite of capabilities for detecting and preventing the LSASS credential dumping techniques that are prevalent in the wild.6 It is designed to identify suspicious activities targeting the LSASS process and block known credential theft tools and behaviors.5 Notably, Microsoft participated in an evaluation conducted by AV-Comparatives, an independent testing organization, specifically focused on detecting and blocking LSASS credential dumping. In this test, Microsoft Defender for Endpoint reportedly passed all 15 test cases designed to simulate various techniques used to dump user operating system credentials from LSASS memory.6 This outcome underscores the effectiveness of Defender for Endpoint's layered approach to protecting against this critical threat.

Defender for Endpoint employs several key detection mechanisms to identify potential LSASS credential dumping attacks. Behavioral monitoring plays a crucial role in identifying anomalous activities.6 The solution continuously monitors processes running on endpoints and can detect unusual processes attempting to access the memory space of the LSASS process.1 It also looks for specific API calls that are commonly associated with memory dumping operations, such as the MiniDumpWriteDump function.4 Furthermore, Defender for Endpoint analyzes the command-line arguments used with legitimate tools (LOLBins) and can flag suspicious patterns, such as the use of the -ma or -mm flags with procdump.exe or the presence of the term "MiniDump" in the command line of rundll32.exe when targeting the LSASS process.4 This focus on behavioral detection is critical for identifying attacks that leverage legitimate tools for malicious purposes, as it analyzes the actions being performed rather than relying solely on the identification of specific executable files.

In addition to behavioral monitoring, Microsoft Defender for Endpoint also utilizes signature-based detection.6 This involves identifying known credential theft tools like Mimikatz based on their unique signatures and patterns.5 The solution also incorporates intelligence to detect patterns associated with common attack frameworks that include LSASS dumping capabilities.

Attack Surface Reduction (ASR) rules provide a proactive layer of defense against LSASS credential dumping.4 Specifically, the "Block credential stealing from the Windows local security authority subsystem (lsass.exe)" rule is designed to prevent untrusted and unsigned processes from accessing the LSASS process memory to steal credentials.4 This rule operates by restricting the ability of unauthorized processes to inject code into LSASS or read its memory contents.4 It is important to note that this particular ASR rule does not rely on indicators of compromise for specific files or certificates; instead, it focuses on blocking the behavior of accessing LSASS memory from processes that are not deemed legitimate or trusted.20 ASR rules like this provide a crucial proactive defense mechanism by limiting specific behaviors known to be exploited by attackers, even before a specific malicious tool is identified on the system.

When suspicious activity related to potential LSASS dumping is detected, Microsoft Defender for Endpoint generates alerts in the security center.8 These alerts provide security analysts with valuable information about the potential threat. Examples of alert titles that can indicate such activity include "Malware associated with DEV-0270 activity group detected" and "CredentialDumpingViaEsentutlDetector".8 It is paramount for organizations to ensure that their Microsoft Defender for Endpoint solution is kept up-to-date. Regular updates ensure that the solution has the latest detection signatures and behavioral monitoring capabilities to effectively identify and block emerging LSASS dumping techniques.22 The layered approach employed by Microsoft Defender for Endpoint, which combines behavioral monitoring, signature-based detection, and proactive controls like ASR rules, provides a robust defense against the various LSASS dumping techniques observed in the wild.

5. AV-Comparatives LSASS Credential Dumping Evaluation

AV-Comparatives is an independent organization that specializes in testing and evaluating the effectiveness of various security software products.6 Their evaluations provide valuable insights into the real-world capabilities of these products in protecting against cyber threats. Recognizing the critical nature of LSASS credential dumping as an attack technique, AV-Comparatives has developed a dedicated LSASS Credential Dumping Evaluation.6 This focused evaluation specifically assesses the ability of endpoint security solutions to prevent and detect unauthorized access to the LSASS process and the subsequent dumping of sensitive credentials.

The methodology employed by AV-Comparatives in this evaluation involves testing security products on fully patched Windows 10 hosts.16 Testers log on to Windows as minimal users with medium integrity and then execute various LSASS dump Proof-of-Concepts (POCs) as privileged users with high or system integrity.10 The evaluation focuses on assessing the prevention and detection capabilities of the security products, with an emphasis on whether the product generates active alerts in response to the attempted credential dumping.10 The tests are designed to vary several key factors that attackers might employ, including the specific credential dumping tools used, the integrity level of the executing process, the use of Living-off-the-Land Binaries, whether WIN32 APIs or direct system calls are used, and techniques like PPID spoofing.10 It is worth noting that in the 2022 evaluation commissioned by Microsoft, Windows LSASS-hardening measures such as LSA Protection, Credential Guard, and Restricted Admin Mode were intentionally disabled. This was done to specifically evaluate the detection capabilities of Microsoft Defender for Endpoint against the various dumping techniques without relying on these inherent OS protections.16

The AV-Comparatives LSASS Credential Dumping Evaluation utilizes a set of 15 distinct test cases designed to cover a broad range of LSASS dumping techniques.10 These test cases can be broadly categorized into Whitebox Tests, which involve direct access to the Windows GUI, and Blackbox Tests, which simulate in-memory execution of malicious code over a command and control (C2) channel.16

Whitebox Tests:

1. Test Case 01: Mimikatz (Process Herpaderping) - This test employed the Mimikatz tool in conjunction with process herpaderping, a technique used to disguise a malicious process by making it appear as a legitimate one.16

2. Test Case 02: Native APIs DLL - This test involved the use of a custom Dynamic Link Library (DLL) that interacted directly with Windows Native APIs to attempt to dump LSASS memory.16

3. Test Case 03: Silent Process Exit - This test utilized a technique known as "Silent Process Exit" as a method to dump the LSASS process.10

4. Test Case 04: Alternative API Snapshot Function - This test explored the use of an alternative Windows API function to create a snapshot of the LSASS process, which could then be used for dumping.10

5. Test Case 05: MalSecLogon - This test employed the MalSecLogon tool, a utility specifically designed for extracting credentials from the LSASS process.10

6. Test Case 06: Dump LSASS - This test represented a more straightforward attempt to directly dump the memory of the LSASS process.10

7. Test Case 07: Duplicate Dump - This test involved an attempt to create a duplicate memory dump of the LSASS process.10

8. Test Case 08: PowerShell Mimikatz - This test involved executing Mimikatz commands within a PowerShell session to attempt to dump LSASS memory.16

Blackbox Tests:

9. Test Case 09: Invoke Mimikatz (PoshC2) - This test utilized the Invoke-Mimikatz module within the PoshC2 command and control framework to perform in-memory LSASS dumping.16

10. Test Case 10: SafetyDump - This test employed the SafetyDump tool, a utility designed for dumping LSASS memory, executed in a blackbox scenario.10

11. Test Case 11: Snapshot (PoshC2 RunPE) - This test leveraged the snapshot functionality within the PoshC2 framework, likely utilizing the RunPE (Run Portable Executable) technique to execute code in memory for LSASS dumping.16

12. Test Case 12: Unhook (Metasploit Framework) - This test utilized the Metasploit Framework and likely employed techniques to unhook or bypass security product hooks in memory before attempting to dump LSASS.16

13. Test Case 13: Reflective DLL (Metasploit Framework) - This test involved injecting a reflective DLL (a DLL loaded directly from memory) via the Metasploit Framework to facilitate LSASS dumping.16

14. Test Case 14: Invoke Mimikatz (PowerShell Empire) - This test used the Invoke-Mimikatz module within the PowerShell Empire command and control framework to perform in-memory LSASS dumping.16

15. Test Case 15: Invoke-PPL Dump (PowerShell Empire) - This test specifically utilized the Invoke-PPLDump module within PowerShell Empire, which is designed to bypass Protected Process Light (PPL) and dump LSASS memory. While PPL was generally out of scope for the 2022 testing, this specific case likely aimed to assess if detection would still occur.10

The outcome of the 2022 test commissioned by Microsoft indicated that Microsoft Defender for Endpoint successfully detected all 15 of these diverse test cases.6 AV-Comparatives also has a broader LSASS Credential Dumping Certification program. To achieve this certification, a security product must successfully prevent or detect at least two-thirds (10 out of 15) of the test cases.10 In more recent evaluations, several other vendors have also achieved this certification, including Bitdefender GravityZone Business Security Enterprise, CrowdStrike Falcon Pro, ESET PROTECT Enterprise Cloud, and Kaspersky Endpoint Security for Business.23 The AV-Comparatives evaluation serves as a valuable independent validation of the effectiveness of endpoint security solutions against a critical attack technique like LSASS credential dumping. These tests simulate various real-world attack scenarios and provide insights into the ability of security products to detect and prevent them, helping organizations make informed decisions about their cybersecurity defenses.

6. Hardening Windows: Recommendations for Securing the LSASS Process

Windows administrators can implement several key hardening measures to further secure the LSASS process and mitigate the risk of credential dumping attacks.4

One of the most effective recommendations is to enable Protected Process Light (PPL) for the LSASS process.6 PPL is a security feature introduced in Windows 8.1 that extends the concept of protected processes, providing a higher level of protection against tampering and termination, even by users with administrative privileges.25 For new, enterprise-joined installations of Windows 11 (version 22H2 update), PPL for LSASS is enabled by default.6 PPL works by ensuring that only trusted, digitally signed code with the appropriate signing level is allowed to interact with the protected process, including LSASS.27 Enabling PPL for LSASS significantly hinders many common LSASS dumping techniques by preventing unauthorized processes from injecting malicious code or directly reading its memory contents. By restricting access to LSASS memory to only legitimate, signed processes, PPL makes it considerably more difficult for attackers to utilize tools like Mimikatz or LOLBins to extract credentials.

Another crucial hardening measure is to enable Windows Defender Credential Guard.2 Credential Guard leverages virtualization-based security (VBS) to isolate and protect sensitive credentials, such as NTLM password hashes and Kerberos Ticket Granting Tickets (TGTs).6 Similar to PPL for LSASS, Credential Guard is also enabled by default for organizations using the Enterprise edition of Windows 11 (version 22H2 and later) on devices that meet the necessary hardware and software requirements.6 By isolating these critical credentials in a virtualized environment that is separate and protected from the normal operating system, Credential Guard effectively prevents many credential theft attacks, including the notorious pass-the-hash and pass-the-ticket attacks.31 This provides a robust layer of defense, as even malware running with administrative privileges within the main operating system cannot access the credentials protected by VBS within the isolated Credential Guard environment.

Implementing the principle of least privilege by strictly restricting local administrative access is another fundamental security best practice that directly impacts the ability of attackers to perform LSASS dumping.3 Many LSASS dumping techniques require administrator-level privileges to execute successfully.5 By limiting the number of user accounts that possess local administrator rights, organizations can significantly reduce the attack surface and make it more difficult for attackers to gain the necessary privileges to dump LSASS memory. If an attacker manages to compromise a standard user account, their ability to perform credential dumping is considerably more limited compared to if they were to compromise an account with administrative privileges.

Administrators should also consider disabling WDigest authentication on systems where it is not explicitly required.3 Enabling the "UseLogonCredential" registry value within the HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest key forces the system to store user passwords in plaintext within the LSASS process memory during logon.6 This significantly simplifies credential theft for attackers who successfully manage to dump LSASS memory, as they no longer need to resort to cracking password hashes; the plaintext credentials are readily available. Disabling WDigest, especially on older Windows versions where it might be enabled by default, removes this significant vulnerability and prevents the storage of plaintext passwords in LSASS memory. While WDigest might be necessary for certain legacy applications or specific authentication scenarios, it is generally recommended to disable it on modern systems where it is not explicitly needed to minimize the risk of plaintext credential theft from LSASS.

Keeping all systems updated and patched is a critical aspect of securing the LSASS process.8 Regularly applying security updates for the operating system and all other software helps to address known vulnerabilities that attackers could potentially exploit to gain the necessary access for credential dumping. Additionally, implementing strong password policies and enforcing multi-factor authentication (MFA), while not directly preventing LSASS dumping, can significantly reduce the impact of stolen credentials by making them harder to crack and requiring an additional authentication factor beyond just the compromised password or hash. Organizations should also monitor for suspicious processes and command-line activity on their endpoints.3 Deploying Endpoint Detection and Response (EDR) solutions like Microsoft Defender for Endpoint allows for the continuous monitoring of process behavior, including looking for unusual processes accessing LSASS memory or suspicious command-line arguments used with LOLBins known to be used for credential dumping.3 Finally, implementing network segmentation can help to limit the lateral movement capabilities of an attacker even if they do manage to steal credentials from one system, preventing them from easily propagating throughout the entire network.

Recommendation	Description	Benefit	Implementation Method
Enable PPL for LSASS	Protects the LSASS process from unauthorized access and tampering by untrusted code.	Significantly hinders many common LSASS dumping techniques by preventing unauthorized memory access.	Group Policy, Registry
Enable Credential Guard	Isolates and protects sensitive credentials using virtualization-based security, preventing access even by malware with admin privileges.	Prevents many credential theft attacks, including pass-the-hash and pass-the-ticket, by making credentials inaccessible to the main OS.	Group Policy, Intune, Registry
Restrict Local Administrative Access	Limits the number of users with local administrator rights on systems.	Reduces the attack surface and makes it more difficult for attackers to gain the necessary privileges to dump LSASS memory.	Group Policy, Account Management
Disable WDigest Authentication	Prevents the storage of plaintext passwords in LSASS memory by disabling the WDigest authentication protocol.	Removes a significant vulnerability that simplifies credential theft if LSASS memory is dumped.	Group Policy, Registry
Keep Systems Updated and Patched	Regularly apply security updates for the OS and other software.	Addresses known vulnerabilities that attackers could exploit to gain access for credential dumping.	Patch Management Solutions, Windows Update
Monitor Suspicious Activity	Use EDR solutions to monitor for unusual processes accessing LSASS or suspicious command-line arguments.	Provides early detection of potential credential dumping attempts, allowing for timely intervention and remediation.	Microsoft Defender for Endpoint, other EDR solutions

7. The LSASS Attack Surface Reduction (ASR) Rule

The "Block credential stealing from the Windows local security authority subsystem (lsass.exe)" Attack Surface Reduction (ASR) rule in Microsoft Defender for Endpoint is a specific control designed to mitigate the risk of credential theft from the LSASS process.4 This rule functions by preventing untrusted processes from injecting malicious code into the LSASS process or reading its sensitive memory contents where credentials are stored.4 It is important to understand that this particular ASR rule operates based on the behavior of processes attempting to access LSASS rather than relying on traditional indicators of compromise (IOCs) such as file hashes or certificate information.20 This behavioral focus makes it effective against both known and potentially new or modified attack tools and techniques.

The effectiveness of this ASR rule in preventing credential dumping attacks is supported by the findings of the AV-Comparatives evaluation.6 As mentioned earlier, Microsoft Defender for Endpoint, which includes its suite of ASR rules, successfully blocked various LSASS dumping techniques during the testing. This indicates that the "Block credential stealing from LSASS" rule is a valuable component in a layered defense strategy against credential theft.

The LSASS ASR rule, like other ASR rules in Defender for Endpoint, can be configured in different modes to suit an organization's needs and risk tolerance.20 The available modes include Block, which actively prevents the identified behavior; Audit, which allows the behavior but generates an alert to assess potential impact; and Warn, which notifies the end-user about the potentially risky action but allows them to bypass the block. It is generally recommended to initially deploy ASR rules in Audit mode. This allows administrators to monitor the rule's behavior in their specific environment, identify any potential false positives with legitimate applications, and assess the overall impact before fully enabling the rule in Block mode.21

To utilize ASR rules effectively, certain prerequisites must be in place. Notably, Microsoft Defender Antivirus must be enabled and configured as the primary antivirus solution on the endpoints.19 The "Block credential stealing from LSASS" rule is considered part of the standard protection rules that Microsoft recommends organizations should always enable as part of their security baseline.20 The LSASS ASR rule provides a significant and relatively straightforward security control that can be implemented to substantially reduce the risk of credential theft, particularly against attacks that leverage common LOLBins and well-known techniques for accessing LSASS memory.

8. WDigest and "UseLogonCredential": Risks and Detection

The "UseLogonCredential" registry value, located in the HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest key, plays a significant role in the security of credentials stored in LSASS memory.6 When this value is set to 1 (as a REG_DWORD), it forces the WDigest authentication protocol to store the user's plaintext password in the LSASS process memory during the logon process.6 This seemingly minor configuration change has profound security implications. If an attacker successfully manages to dump the LSASS memory from a system where "UseLogonCredential" is enabled, they gain immediate access to the user's password in cleartext, eliminating the need for time-consuming and potentially unsuccessful password cracking attempts.6

Microsoft Defender Antivirus is designed to detect attempts to enable this specific registry value.6 Modifying the "UseLogonCredential" setting to enable plaintext passwords in memory is considered a weakening of the device's security posture and is a tactic frequently employed by threat actors, particularly in situations where they anticipate difficulty in directly dumping or extracting credentials from LSASS using other methods.6 Therefore, the detection of attempts to enable this registry key serves as a valuable early warning sign of potential credential theft activity. Monitoring and generating alerts on changes to the "UseLogonCredential" registry key is a crucial detection mechanism for identifying potential precursors to LSASS credential dumping attacks. Attackers often enable this setting as an initial step to facilitate easier credential theft later in their attack chain. Detecting and blocking these attempts early on can prevent the subsequent compromise of sensitive credentials. As a further preventative measure, it is generally recommended to disable the WDigest authentication protocol entirely on systems where it is not actively being used. This eliminates the risk associated with the "UseLogonCredential" setting and enhances the overall security of the system by preventing the storage of plaintext passwords in LSASS memory.

9. Conclusion: A Layered Approach to Protecting LSASS Credentials

In conclusion, LSASS credential dumping remains a persistent and significant threat in the cybersecurity landscape. Attackers continue to evolve their techniques, leveraging both legitimate system tools and dedicated hacking utilities to extract sensitive credentials from this critical Windows process. The motivations behind targeting LSASS are clear: stolen credentials provide the keys to lateral movement, privilege escalation, data exfiltration, persistence, and ultimately, the successful execution of broader malicious campaigns, including ransomware deployment.

To effectively defend against these evolving threats, organizations must adopt a multi-layered security strategy. Relying on a single security measure is no longer sufficient in the face of determined adversaries. A robust defense-in-depth approach is essential, combining various preventative and detective controls to minimize the risk of successful LSASS credential dumping. Preventative measures such as enabling Protected Process Light (PPL) and Windows Defender Credential Guard provide strong inherent protections to the LSASS process and the credentials it manages. Strictly restricting local administrative privileges further reduces the attack surface available to potential adversaries. Disabling the WDigest authentication protocol, where not required, eliminates a significant vulnerability that can simplify credential theft. Keeping all systems up-to-date with the latest security patches is crucial for addressing known vulnerabilities that attackers might exploit.

Complementing these preventative measures, robust detection capabilities are equally important. Endpoint Detection and Response (EDR) solutions like Microsoft Defender for Endpoint play a vital role in continuously monitoring for suspicious processes, unusual command-line activity associated with LOLBins, and other behavioral indicators of potential credential dumping attempts. The Attack Surface Reduction (ASR) rule specifically designed to block credential stealing from LSASS provides an additional proactive layer of defense. Furthermore, monitoring for attempts to weaken system security, such as enabling the "UseLogonCredential" registry value for WDigest, can provide early warnings of malicious activity.

The independent evaluations conducted by organizations like AV-Comparatives offer valuable insights into the effectiveness of various security solutions against LSASS credential dumping. These tests underscore the importance of choosing and properly configuring security products that have demonstrated their ability to detect and prevent these sophisticated attacks. Ultimately, no single security measure can guarantee complete protection. A defense-in-depth strategy, which combines multiple layers of protection, is paramount for effectively mitigating the risk of LSASS credential dumping and safeguarding sensitive credentials. This requires a holistic approach to security, encompassing not only the implementation of technical controls but also continuous monitoring, user education, and a proactive stance towards adapting to the ever-evolving threat landscape.

Works cited

1. Defending Against OS Credential Dumping: Threat Landscape, Strategies, and Best Practices - Logpoint, accessed April 6, 2025, https://www.logpoint.com/wp-content/uploads/2024/07/logpoint-etpr-defending-against-os-credential-dumping.pdf

2. Local Security Authority (LSA) - NETWORK ENCYCLOPEDIA, accessed April 6, 2025, https://networkencyclopedia.com/local-security-authority-lsa/

3. LSASS Dumping Techniques - HawkEye, accessed April 6, 2025, https://hawk-eye.io/2022/09/lsass-dumping-techniques/

4. LSASS Memory - Red Canary Threat Detection Report, accessed April 6, 2025, https://redcanary.com/threat-detection-report/techniques/lsass-memory/

5. Detect and block Credential Dumps with Defender for Endpoint & Attack Surface Reduction, accessed April 6, 2025, https://jeffreyappel.nl/detect-and-block-credential-dumps-with-defender-for-endpoint-attack-surface-reduction/

6. Detecting and preventing LSASS credential dumping attacks | Microsoft Security Blog, accessed April 6, 2025, https://www.microsoft.com/en-us/security/blog/2022/10/05/detecting-and-preventing-lsass-credential-dumping-attacks/

7. Detection: Dump LSASS via comsvcs DLL | Splunk Security Content, accessed April 6, 2025, https://research.splunk.com/endpoint/8943b567-f14d-4ee8-a0bb-2121d4ce3184/

8. Profiling DEV-0270: PHOSPHORUS' ransomware operations ..., accessed April 6, 2025, https://www.microsoft.com/en-us/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/

9. Various LSASS Credentials Dumping Methods Detected by EDR - ASEC - AhnLab, accessed April 6, 2025, https://asec.ahnlab.com/en/60690/

10. LSASS Credential Dumping Certification Test 2024 - AV-Comparatives, accessed April 6, 2025, https://www.av-comparatives.org/wp-content/uploads/2024/05/avc_LSASS_2024_ESET.pdf

11. LSASS Memory Dumps: Dumping Methods Explained [Part 1] | Deep Instinct, accessed April 6, 2025, https://www.deepinstinct.com/blog/lsass-memory-dumps-are-stealthier-than-ever-before

12. Detection: Dump LSASS via procdump | Splunk Security Content, accessed April 6, 2025, https://research.splunk.com/endpoint/3742ebfe-64c2-11eb-ae93-0242ac130002/

13. Tracking the Unseen: Edgewater's Enhanced Queries for Seashell ..., accessed April 6, 2025, https://edgewaterit.com/2025/02/20/seashell-blizzard-apt/

14. Remote Interactive Task Manager LSASS Dump - Threat Hunter Playbook, accessed April 6, 2025, https://threathunterplaybook.com/hunts/windows/191030-RemoteInteractiveTaskMgrLsassDump/notebook.html

15. The BadPilot campaign: Seashell Blizzard subgroup conducts ..., accessed April 6, 2025, https://www.microsoft.com/en-us/security/blog/2025/02/12/the-badpilot-campaign-seashell-blizzard-subgroup-conducts-multiyear-global-access-operation/

16. www.av-comparatives.org, accessed April 6, 2025, https://www.av-comparatives.org/wp-content/uploads/2022/09/avc_sp_lsass_ms_2022.pdf

17. Bypassing Modern Security: A Deep Dive into LSASS.exe Memory Dumping Using Beacon Object Files | by Yua Mikanana | Medium, accessed April 6, 2025, https://medium.com/@yua.mikanana19/bypassing-modern-security-a-deep-dive-into-lsass-exe-memory-dumping-using-beacon-object-files-e9eecf0d5f16

18. Potential Credential Access via LSASS Memory Dump | Elastic Security Solution [8.17], accessed April 6, 2025, https://www.elastic.co/guide/en/security/current/potential-credential-access-via-lsass-memory-dump.html

19. defender-docs/defender-endpoint/attack-surface-reduction-rules-deployment.md at public - GitHub, accessed April 6, 2025, https://github.com/MicrosoftDocs/defender-docs/blob/public/defender-endpoint/attack-surface-reduction-rules-deployment.md

20. Attack surface reduction rules reference - Microsoft Defender for Endpoint, accessed April 6, 2025, https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference

21. The Top 5 ASR Rules For Reducing Attack Surfaces - Levacloud LLC, accessed April 6, 2025, https://levacloud.com/2024/03/05/5-asr-rules-for-reducing-attack-surfaces/

22. LSASS Credential Dumping Certification - ESET PROTECT Enterprise Cloud, accessed April 6, 2025, https://www.av-comparatives.org/tests/lsass-credential-dumping-certification-eset-protect-enterprise-cloud/

23. LSASS Credential Dumping Certification Test - AV-Comparatives, accessed April 6, 2025, https://www.av-comparatives.org/lsass-credential-dumping-certification-test/

24. LSASS Credential Dumping Certification Test - AV-Comparatives, accessed April 6, 2025, https://www.av-comparatives.org/news/lsass-credential-dumping-certification-test/

25. The Evolution of Protected Processes - Part 1: Pass-the-Hash Mitigations in Windows 8.1, accessed April 6, 2025, https://www.crowdstrike.com/en-us/blog/evolution-protected-processes-part-1-pass-hash-mitigations-windows-81/

26. The Windows Security Journey — PPL (Protected Processes Light) | by Shlomi Boutnaru, Ph.D. | Medium, accessed April 6, 2025, https://medium.com/@boutnaru/the-windows-security-journey-ppl-protected-processes-light-831d5f371004

27. About Protected Process Light (PPL) technology for Windows - Kaspersky, accessed April 6, 2025, https://support.kaspersky.com/13905

28. About Protected Process Light (PPL) technology for Windows - Support - Kaspersky, accessed April 6, 2025, https://support.kaspersky.com/common/windows/13905

29. PROCESS_PROTECTION_LEV, accessed April 6, 2025, https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/ns-processthreadsapi-process_protection_level_information

30. Protecting Windows protected processes | Elastic Blog, accessed April 6, 2025, https://www.elastic.co/blog/protecting-windows-protected-processes

31. Credential Guard overview - Learn Microsoft, accessed April 6, 2025, https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/

32. How to Verify if Credential Guard is Enabled or Disabled in Windows - NinjaOne, accessed April 6, 2025, https://www.ninjaone.com/blog/verify-credential-guard-in-windows/

33. windows-itpro-docs/windows/security/identity-protection/credential-guard/how-it-works.md at public - GitHub, accessed April 6, 2025, https://github.com/MicrosoftDocs/windows-itpro-docs/blob/public/windows/security/identity-protection/credential-guard/how-it-works.md

34. Configure Credential Guard | Microsoft Learn, accessed April 6, 2025, https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/configure

35. Use attack surface reduction rules to prevent malware infection - Microsoft Defender for Endpoint, accessed April 6, 2025, https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction