Credential Dumping: LSASS Memory

After a user logs on, attackers can attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). This indicator of attack requires the Sysmon extension for these audits.

Event IDs	Audit Policies	Value
4624	├ Category: Logon/Logoff └─ Sub-category: Logon	Success
4634	├ Category: Logon/Logoff └─ Sub-category: Logoff	Success
1	Sysmon - Process creation	Sysmon - N/A
5	Sysmon - Process terminated	Sysmon - N/A
8	Sysmon - CreateRemoteThread	Sysmon - N/A
10	Sysmon - ProcessAccess	Sysmon - N/A
	Requires Sysmon extension For information on how to install and configure Sysmon, see Install Microsoft Sysmon.	Yes

See also

• DCShadow

• DCSync

• DNSAdmins

• Domain Backup Key Extraction

• Enumeration of Local Administrators

• GoldenTicket

• Kerberoasting

• Massive Computers Reconnaissance

• NTDS Extraction

• Password Guessing

• Password Spraying

• PetitPotam