Active Directory · Term

What is LSASS?

LSASS is the Windows process that handles logon and, in doing so, keeps the credentials of everyone signed in to a machine in memory. Dump it and you harvest passwords, hashes, and Kerberos tickets. Here is what LSASS is, the attack, and how to protect it.

Active Directory · TermAll services
TL;DR

LSASS (Local Security Authority Subsystem Service) is the Windows process that enforces the security policy on a machine: it verifies logons, handles password changes, and issues access tokens. To do its job it caches the credentials of every user currently signed in, as hashes, and sometimes Kerberos tickets, in memory. Attackers who gain administrator rights on a host dump the LSASS process to harvest those credentials, then reuse them through Pass-the-Hash or Pass-the-Ticket to move to the next machine. LSASS dumping is the engine of lateral movement, which is why protecting it is a core endpoint-hardening step.

By John Dill, Red Team Lead, SecureLayer7Updated

What LSASS is

LSASS is a core Windows process (lsass.exe) responsible for local security: validating logons, enforcing password policy, and creating the access tokens that decide what a user can do.

To authenticate users and enable single sign-on, LSASS keeps the credentials of everyone logged in to the machine in its memory, in the form of NTLM hashes and, where Kerberos is used, tickets. That convenience, credentials cached in memory so users do not re-type them, is exactly what attackers come for.

The attack: dumping credentials

An attacker who has local administrator rights on a machine can read the memory of the LSASS process and extract every cached credential: NTLM hashes, Kerberos tickets, and in some configurations plaintext passwords.

Those credentials drive lateral movement. The attacker dumps LSASS on the first machine, reuses a harvested hash to authenticate to the next machine where that account has access (Pass-the-Hash), dumps that machine’s LSASS for fresh and more privileged credentials, and repeats until a Domain Admin’s credentials appear in memory somewhere. One privileged user logging in to a compromised host is enough to lose the domain.

How the attack runs

The documented techniques include reading LSASS live or dumping it for offline parsing:

  • Live extraction: sekurlsa::logonpasswords (Mimikatz) reads hashes, tickets, and cached secrets
  • Create a memory dump to parse elsewhere: procdump -ma lsass.exe lsass.dmp, then process it offline
  • Reuse a harvested hash without cracking: wmiexec.py -hashes :<nt-hash> corp.local/admin@host (Impacket Pass-the-Hash)

These are well-known methods shown so defenders can detect and block them.

How to defend

LSASS protection combines Windows features and account hygiene:

  • Enable Credential Guard, which isolates LSASS secrets in a virtualised container that ordinary admin rights cannot read.
  • Add privileged accounts to the Protected Users group so their credentials are not cached in a reusable form.
  • Turn on LSASS protection (RunAsPPL) so non-protected processes cannot open it.
  • Deploy LAPS so a unique local-admin password on every machine stops one harvested hash from unlocking the next.
  • Keep Domain Admins off ordinary workstations, and detect tools that open a handle to lsass.exe.

References

  1. [1]MITRE ATT&CK Enterprise Matrix(MITRE)
  2. [2]Microsoft: Kerberos Authentication Overview(Microsoft)
  3. [3]NIST SP 800-115 Technical Guide to Security Testing(NIST)
Related terms

Common questions

Active Directory, asked often

Need your Active Directory tested?

Scope an engagement

Test your Active Directory before an attacker does.

We run internal and Active Directory penetration tests that follow the real path from one low-privilege user to Domain Admin, then hand your team a report with reproducible evidence and a fix for every step. Free re-test included.

See all services30-min scoping call, fixed-price proposal in 48 hours.