LSASS
- Local Security Authority Subsystem Service (LSASS)[1] is a process in Microsoft Windows operating systems that is responsible for enforcing the security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.[2] It also writes to the Windows Security Log.
-
Obtaining user operating system (OS) credentials from a targeted device is among threat actors’ primary goals when launching attacks because these credentials serve as a gateway to various objectives they can achieve in their target organization’s environment, such as lateral movement. One technique attackers use is targeting credentials in the Windows Local Security Authority Subsystem Service (LSASS) process memory because it can store not only a current user’s OS credentials but also a domain admin’s. https://www.microsoft.com/en-us/security/blog/2022/10/05/detecting-and-preventing-lsass-credential-dumping-attacks/
-
LSASS secrets https://www.thehacker.recipes/ad/movement/credentials/dumping/lsass#lsass-secrets