|T1003.002||Security Account Manager|
|T1003.005||Cached Domain Credentials|
|T1003.008||/etc/passwd and /etc/shadow|
Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct Lateral Movement using Use Alternate Authentication Material.
As well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.
For example, on the target host use procdump:
procdump -ma lsass.exe lsass_dump
Locally, mimikatz can be run using:
Built-in Windows tools such as comsvcs.dll can also be used:
Windows Security Support Provider (SSP) DLLs are loaded into LSASS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages and
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.
The following SSPs can be used to access credentials:
|C0025||2016 Ukraine Electric Power Attack||
During the 2016 Ukraine Electric Power Attack, Sandworm Team used Mimikatz to capture and use legitimate credentials.
APT1 has been known to use credential dumping using Mimikatz.
APT28 regularly deploys both publicly available (ex: Mimikatz) and custom password retrieval tools on victims. They have also dumped the LSASS process memory using the MiniDump function.
APT3 has used a tool to dump credentials by injecting itself into lsass.exe and triggering with the argument "dig."
APT32 used Mimikatz and customized versions of Windows Credential Dumper to harvest credentials.
APT33 has used a variety of publicly available tools like LaZagne, Mimikatz, and ProcDump to dump credentials.
APT39 has used Mimikatz, Windows Credential Editor and ProcDump to dump credentials.
APT41 has used hashdump, Mimikatz, and the Windows Credential Editor to dump password hashes from memory and authenticate to other user accounts.
Aquatic Panda has attempted to harvest credentials through LSASS memory dumping.
Bad Rabbit has used Mimikatz to harvest credentials from the victim's machine.
Blue Mockingbird has used Mimikatz to retrieve credentials from LSASS memory.
BRONZE BUTLER has used various tools (such as Mimikatz and WCE) to perform credential dumping.
Cleaver has been known to dump credentials using Mimikatz and Windows Credential Editor.
Cobalt Strike can spawn a job to inject into LSASS memory and dump password hashes.
CozyCar has executed Mimikatz to harvest stored credentials from the victim and further victim penetration.
Daserf leverages Mimikatz and Windows Credential Editor to steal credentials.
Earth Lusca has used ProcDump to obtain the hashes of credentials by dumping the memory of the LSASS process.
Emotet has been observed dropping password grabber modules including Mimikatz. 
Empire contains an implementation of Mimikatz to gather credentials from memory.
FIN6 has used Windows Credential Editor for credential dumping.
FIN8 harvests credentials using Invoke-Mimikatz or Windows Credentials Editor (WCE).
Fox Kitten has used prodump to dump credentials from LSASS.
GALLIUM used a modified version of Mimikatz along with a PowerShell-based Mimikatz to dump credentials on the victim machines.
GreyEnergy has a module for Mimikatz to collect Windows credentials from the victim’s machine.
HAFNIUM has used
SecretsDump and Mimikatz modules within Impacket can perform credential dumping to obtain account and password information.
Indrik Spider used Cobalt Strike to carry out credential dumping using ProcDump.
Ke3chang has dumped credentials, including by using Mimikatz.
Kimsuky has gathered credentials using Mimikatz and ProcDump.
LaZagne can perform credential dumping from memory to obtain account and password information.
Leafminer used several tools for retrieving login and password information, including LaZagne and Mimikatz.
Leviathan has used publicly available tools to dump password hashes, including ProcDump and WCE.
Lslsass can dump active logon session password hashes from the lsass process.
Magic Hound has stolen domain credentials by dumping LSASS process memory using Task Manager, comsvcs.dll, and from a Microsoft Active Directory Domain Controller using Mimikatz.
Mimikatz performs credential dumping to obtain account and password information useful in gaining access to additional systems and enterprise network resources. It contains functionality to acquire information about credentials in many ways, including from the LSASS Memory.
MuddyWater has performed credential dumping with Mimikatz and procdump64.exe.
Net Crawler uses credential dumpers such as Mimikatz and Windows Credential Editor to extract cached credentials from Windows systems.
NotPetya contains a modified version of Mimikatz to help gather credentials that are later used for lateral movement.
OilRig has used credential dumping tools such as Mimikatz to steal credentials to accounts logged into the compromised system and to Outlook Web Access.
Okrum was seen using MimikatzLite to perform credential dumping.
Olympic Destroyer contains a module that tries to obtain credentials from LSASS, similar to Mimikatz. These credentials are used with PsExec and Windows Management Instrumentation to help the malware propagate itself across a network.
During Operation Wocao, threat actors used ProcDump to dump credentials from memory.
PLATINUM has used keyloggers that are also capable of dumping credentials.
PoetRAT used voStro.exe, a compiled pypykatz (Python version of Mimikatz), to steal credentials.
PoshC2 contains an implementation of Mimikatz to gather credentials from memory.
PowerSploit contains a collection of Exfiltration modules that can harvest credentials using Mimikatz.
Pupy can execute Lazagne as well as Mimikatz using PowerShell.
Sandworm Team has used its plainpwd tool, a modified version of Mimikatz, and comsvcs.dll to dump Windows credentials from system memory.
Silence has used the Farse6.1 utility (based on Mimikatz) to extract credentials from lsass.exe.
SILENTTRINITY can create a memory dump of LSASS via the
TEMP.Veles has used Mimikatz and a custom tool, SecHack, to harvest credentials. 
Threat Group-3390 actors have used a modified version of Mimikatz called Wrapikatz to dump credentials. They have also dumped credentials from domain controllers.
|S0005||Windows Credential Editor||
Windows Credential Editor can dump credentials.
|M1040||Behavior Prevention on Endpoint||
On Windows 10, enable Attack Surface Reduction (ASR) rules to secure LSASS and prevent credential stealing. 
|M1043||Credential Access Protection||
With Windows 10, Microsoft implemented new protections called Credential Guard to protect the LSA secrets that can be used to obtain credentials through forms of credential dumping. It is not configured by default and has hardware and firmware system requirements. It also does not protect against all forms of credential dumping.
|M1028||Operating System Configuration||
Consider disabling or restricting NTLM. Consider disabling WDigest authentication.
Ensure that local administrator accounts have complex, unique passwords across all systems on the network.
|M1026||Privileged Account Management||
Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers.
|M1025||Privileged Process Integrity||
On Windows 8.1 and Windows Server 2012 R2, enable Protected Process Light for LSA.
Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts.
|ID||Data Source||Data Component||Detects|
Monitor executed commands and arguments that may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module, which may require additional logging features to be configured in the operating system to collect necessary information for analysis.
|DS0009||Process||OS API Execution||
Monitor for API calls that may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).
Monitor for unexpected processes interacting with LSASS.exe. Common credential dumpers such as Mimikatz access LSASS.exe by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details are stored. Credential dumpers may also use methods for reflective Process Injection to reduce potential indicators of malicious activity.
Implementation 1 : [Mimikatz](/software/S0002)
Implementation 2 : Procdump
Implementation 3 : Windows Task Manager
Monitor for newly executed processes that may be indicative of credential dumping. On Windows 8.1 and Windows Server 2012 R2, monitor Windows Logs for LSASS.exe creation to verify that LSASS started as a protected process.
Implementation 1 - Procdump
Implementation 2 - MiniDump via rundll32