LSASS Memory Dumps are Stealthier than Ever Before


Dump file

Domain, local usernames, and passwords that are stored in the memory space of a process are named LSASS (Local Security Authority Subsystem Service). If given the requisite permissions on the endpoint, users can be given access to LSASS and its data can be extracted for lateral movement and privilege escalation.

It is increasingly common to see LSASS memory dump files being sent over the network to attackers in order to extract credentials in a stealthier manner. The alternative is running Mimikatz on the endpoint which might cause it to be blocked or detected by the local antivirus software.

Read more…