Examine our research from the last year in the ReliaQuest 2024 Annual Cyber-Threat Report
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
March 26, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
For many of us in cybersecurity, we know that credential theft is part of almost all attacks within a network. Arguably, one of the most known forms of credential stealing is surrounding clear-text credentials by accessing lsass.exe. Almost synonymous with credential dumping is the popular tool Mimikatz, which is able to access the LSASS (Local Security Authority Subsystem Service) memory space and extract these clear-text credentials. While LSAAS credential dump is a critical concern, it is only a piece of the bigger picture of the Windows credential model.
But how much do we really understand about the LSASS and other components of Windows credential management? How do they work? What do they store? Why are they a target for attackers? What protections can we put in place?
In part one, this blog post, I’ll do a deep dive into Windows authentication and credential management to shed more light into how it works and where vulnerabilities lie.
In part two, read about how to mitigate the risk.
According to Microsoft, in Windows authentication, credential management refers to the underlying process that takes credential material from the user to present to the authentication target. On a non-domain joined computer, the authentication target is the Security Accounts Manager (SAM) database on the local machine. In the case of a domain joined computer, the authentication target is the domain controller through the WinLogon service.
Security information that is stored locally in the host is located in the registry under HKEY_LOCAL_MACHINE\SECURITY. Information found in this registry can include:
The Local Security Authority (LSA) is a protected system process that’s purpose is to authenticate users on the local system. Collectively, LSA handles the local security aspects on the computer (local security policy) and provides translation between names and security identifiers (SIDs).
The Local Security Authority Subsystem Service (LSASS) is also a part of the LSA framework. LSASS is the process that keeps track of security policies and accounts that are in use on a system. Specifically, LSASS stores credentials in memory for users active on the machine. The purpose of keeping these credentials in memory is for a form of single sign on, where the user does not have to reinput credentials for network resources, shares, or services within the domain.
Official Microsoft Documentation for how LSA integrates with the Windows authentication process. Each DLL handles a different form of authentication and are utilized by the overarching LSASS process.
I’ll start with breaking down LSASS as it is generally the best-known component of LSA. According to Microsoft documentation, LSASS stores credentials in memory on behalf of users with active Windows sessions. The purpose of storing these credentials is so that users can access network resources, file shares, mail, and more without having to re-authenticate to each individual service.
LSASS stores credential material in various forms, including:
Credentials are cached to LSASS whenever a user authenticated in an interactive manner. The following types of activity will put the user’s credential material into memory:
Things to consider: When you need to execute commands/processes on a host, know what will and will not put credential material into memory. When investigating, look for users that may be performing the above activities on the impacted host.
By default, LSASS stores credentials associated with logon sessions related to those activities outlined above since the last restart, of which have not been closed (logged off). This means that once a user is logged off, LSASS may clear the credentials after a certain period of time, which varies by operating system and security settings (default is 30 seconds in Windows versions 8.1+. Older systems may not always clear credentials after logoff without patches).
Things to consider: Ensure hosts are fully patched and credential clearing is enabled. Any user authenticated when a potential credential dump occurs will likely need their password reset. On legacy hosts, there may not be any clearing of credentials, even after logoff. All users on these systems (when unpatched) may need a password reset.
As you may have already guessed, the reason LSASS is such a high-value target for attackers is that it contains credential material for users, which can be used to pivot throughout the environment.
When an attacker gains their initial foothold into the environment, they almost never land at their target host or permission set. For example, if their phishing email to the accounting department was successful, these users are probably not able to access databases, domain controllers, medical records, etc.
Nearly all forms of lateral movement require credential material to move throughout an environment.
Mimikatz is arguably the best-known/-publicized way of dumping LSASS. Mimikatz was created in 2007 by Benjamin Delpy as a tool to experiment with Windows security and LSASS functionality. It has the ability to access LSASS credential material, Kerberos tickets, create tokens, pass-the-hash, and more. The project is ongoing and new modules are added on a regular basis.
Mimikatz functionality was part of the 2017 NotPetya attacks, where it would search for clear-text passwords in WDigest and other credential material within LSA.
This toolset is open-source and can readily be downloaded from the GitHub repository. Mimikatz requires local administrator rights to the host on which it will be used. This is because it has to assume “Debug” privileges as it uses Windows debugging functionality to access the LSASS memory space.
A typical Mimikatz execution flow will look similar to the following (Windows 10):
Sample Mimikatz execution flow on Windows 10
As seen in the graphic above, Mimikatz will attempt to pull credential material from multiple sources, including MSV, TSPKG, WDIGEST, KERBEROS, SSP, and CREDMAN. These were all seen in the LSA model diagram at the beginning of this blog.
From an attacker’s perspective, Mimikatz is not a very OPSEC (Operations Security) friendly tool when trying to gain credential material. This is because it is a very well-known toolset and is almost immediately caught by antivirus and security vendors, even when at rest on disk. Because of this, attackers will typically do one of the following: Execute Mimikatz in memory, create their own custom tool, or use other legitimate programs that can also dump the memory space of LSASS. I won’t cover memory injection and exploit development in this blog, but I will touch on a few other alternative methods to access LSASS with legitimate, known programs.
Things to consider: It is always important to know legitimate ways to dump credential material because even if the processes are not malware, they can still be used maliciously.
Procdump is a tool that was created by Mark Russinovich and Andrew Richards that is now part of the windows Sysinternals tool suite. It is readily available for download from Microsoft’s website. The tool was designed to be used for debugging applications for CPU usage and creating crash dumps so the root cause could be determined.
Like many of the Sysinternals administrator tools (such as PsExec), this legitimate program has been abused by attackers. The reason being, this is a legitimate Microsoft program, and antivirus and security providers are less likely to alert as this process being malware (this is not always the case, some vendors will flag on activity associated with this process when associated with LSASS). Below is an example of using the tool (administrator context is needed to dump LSASS).
To be more “stealthy,” (as some security vendors will flag “lsass.exe”) attackers can also specify the process by the PID.
This file can now be taken offline (outside of the network on a different host) and be ingested by Mimikatz through its minidump module.
A lesser known way of dumping LSASS is by using the task manager, which is built into Windows. From an administrator context, a dump file can be created for any process by right-clicking on it within the task manager and selecting “Create Dump File”.
A dump file can be created for any process by right-clicking on it within the task manager and selecting “Create Dump File”.
Not all credential material is stored in memory within the LSASS process. Some of the credential material may also be stored on the hard disk drive, only accessible to SYSTEM account processes on the host. The reason these credentials are stored is that in some cases they may need to survive after a reboot, such as the case with cached credentials.
Cached credentials are encrypted user credentials that are used when the authentication authority cannot be reached. For example, if your domain joined workstation cannot reach the domain controller to validate your credentials, your machine will use the cached credentials to authenticate you in the meantime. Without these credentials, you would be unable to authenticate without an active connection to the domain controller.
Cached credentials are not the only material that can be stored in the LSA secrets. According to Microsoft, other examples of stored secrets include:
LSA secrets are stored in an encrypted form within the registry at HKEY_LOCAL_MACHINE/Security/Policy/Secrets. The parent keys to decrypt the secrets are also stored within the registry at HKEY_LOCAL_MACHINE/Security/Policy. This is significant because as I mentioned, system level processes are able to access these registers to decrypt the data that lies within them. If an attacker is able to establish a SYSTEM level context on a host, they can dump the LSA secrets as easily as credentials within LSASS.
Mimikatz also contains functionality to access these secrets on a host.
First, we need to establish a system context, so we will use the “token::elevate” command within Mimikatz. Once the SYSTEM context is assumed, we are able to access the LSA secrets.
Things to consider: Just because there may be no credential material within LSASS memory, this does not mean that there will not be credential material stored on the drive within the LSA secrets. This material can still be used for lateral movement.
The vulnerabilities I’ve outlined above are critical to understand what mitigations can be put in place to protect against Windows credential stealing. In Part 2, I walk through what these mitigations could look like so you can proactively protect your organization.
GreyMatter, ReliaQuest’s SaaS security platform, helps mitigate credential stealing by integrating and normalizing data from disparate technologies including SIEM, EDR, multi-cloud, and point tools to provide a unified view for detecting, investigating, and threat hunting—all within the GreyMatter UI. Through GreyMatter, security teams can leverage custom detection content to identify and investigate activity that may indicate credential theft. With an integrated threat hunting feature, GreyMatter allows for a security teams to proactively search over large periods of time to detect LSASS dump on an EDR. By automating across the security lifecycle, ReliaQuest GreyMatter aggregates, de-dupes and enriches alerts from across your security ecosystem to serve up a research package, providing analysts with all of the telemetry and recommendations they need, in one place, to prosecute and remediate threats.