> For the complete documentation index, see [llms.txt](https://muhammed-hatem.gitbook.io/muhammed-hatem/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://muhammed-hatem.gitbook.io/muhammed-hatem/summaries/core-windows-processes/system/smss.exe/wininit.exe/lsass.exe.md).
# lsass.exe
### What is lsass.exe?
`lsass.exe`, short for **Local Security Authority Subsystem Service**, is a crucial and highly sensitive process in the Microsoft Windows operating system. It is responsible for managing local security policy, user authentication, and the security of the operating system.
Think of `lsass.exe` as the gatekeeper and record-keeper for security on your local machine (or domain member). Its primary functions include:
* **Authenticating Users:** When you log in to your computer, `lsass.exe` verifies your username and password (or other credentials) against the local Security Account Manager (SAM) database or a domain controller.
* **Managing Local Security Policy:** It enforces the local security policy, including password policies, account lockout policies, and user rights assignments.
* **Handling Active Directory Authentication:** In domain-joined environments, `lsass.exe` communicates with domain controllers to authenticate users and manage domain security policies.
* **Creating and Managing Access Tokens:** Upon successful authentication, `lsass.exe` creates an access token that contains information about the user's identity and privileges. This token is then used by other processes to determine what actions the user is allowed to perform.
* **Storing and Managing Credentials:** `lsass.exe` temporarily stores security credentials, including passwords and Kerberos tickets, in memory for currently logged-on users. This allows for single sign-on (SSO) functionality.
**In essence, `lsass.exe` is fundamental to the security of your Windows system. If this process is compromised or terminated, it can lead to severe security issues, including loss of authentication, access to sensitive data, and complete system compromise.**
### lsass.exe: Normal vs. Abnormal Behavior
| | | |
| ---------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Feature | Normal Behavior | Abnormal Behavior |
| **Image Path** | `%SystemRoot%\System32\lsass.exe` (always `C:\Windows\System32\lsass.exe`) | Image file path other than `C:\Windows\System32` |
| **Parent Process** | `services.exe` | An unexpected parent process |
| **Number of Instances** | Typically one instance running as `NT AUTHORITY\SYSTEM`. | Multiple instances of `lsass.exe` running, especially under different user accounts. |
| **User Account** | Runs as `NT AUTHORITY\SYSTEM`. | Running under a different or unexpected user account. |
| **Resource Usage** | Generally has moderate memory usage and relatively low CPU usage under normal conditions. Memory usage can fluctuate based on the number of logged-on users and active sessions. | Unusually high and sustained CPU or memory consumption. Sudden and significant spikes in resource usage without a clear reason. |
| **Network Activity** | In domain-joined environments, it will have network activity related to communication with domain controllers (e.g., Kerberos, LDAP). In standalone systems, network activity should be minimal. | Unexpected or excessive network connections, especially to unfamiliar or suspicious remote hosts. Attempts to establish connections using unusual protocols or ports. |
| **Stability** | Should be a stable and constantly running critical process. | Unexpected termination or crashes of the `lsass.exe` process, leading to system instability or automatic restarts. |
| **File Integrity** | The `lsass.exe` file in `C:\Windows\System32` should have a valid Microsoft digital signature. | Missing or invalid digital signature. Different file size or version than expected for the installed Windows version. |
| **Memory Access** | Legitimate system processes will interact with `lsass.exe` memory for authentication and authorization purposes. | Detection of unauthorized processes attempting to read or write to the `lsass.exe` process memory (often indicative of LSASS dumping attempts). |
| **Handles and Threads** | A normal number of handles and threads consistent with its functions. | An unusually high or rapidly increasing number of handles or threads, which could indicate malicious injection or activity. |
### lsass.exe and MITRE ATT\&CK
`lsass.exe` is a prime target for attackers under the **T1003 OS Credential Dumping** technique in the MITRE ATT\&CK framework, specifically the **T1003.001 LSASS Memory** sub-technique.
**How Attackers Use lsass.exe:**
Attackers focus on `lsass.exe` because it stores sensitive authentication information in its memory, including:
* **Plaintext passwords (in some cases)**
* **NTLM hashes**
* **LM hashes**
* **Kerberos tickets**
* **PIN codes**
By gaining access to the `lsass.exe` process memory, attackers can steal these credentials without needing to crack password hashes. This allows them to:
* **Elevate privileges:** Use compromised administrator credentials to gain higher access.
* **Move laterally:** Use the stolen credentials to access other systems on the network.
* **Achieve their objectives:** Gain access to sensitive data, deploy ransomware, etc.
**Common Tools and Methods Used by Attackers:**
* **Mimikatz:** A popular post-exploitation tool specifically designed to extract credentials from `lsass.exe` memory.
* **ProcDump:** A legitimate Sysinternals tool often abused to create a memory dump of the `lsass.exe` process, which can then be analyzed offline using tools like Mimikatz.
* **Task Manager:** Attackers with sufficient privileges can use the built-in Task Manager to create an `lsass.exe` memory dump.
* **comsvcs.dll (MiniDump):** A built-in Windows DLL that can be used via `rundll32.exe` to create a memory dump.
* **Direct System Calls and API Unhooking:** More advanced techniques to evade detection by directly interacting with the operating system.
* **PowerSploit (Out-MiniDump):** A PowerShell-based tool for creating memory dumps.
* **CrackMapExec:** A post-exploitation tool that can remotely dump LSASS credentials.
* **LsassY:** A tool that can remotely dump LSASS credentials using various methods.
**MITRE ATT\&CK Techniques Associated with lsass.exe:**
* **T1003 OS Credential Dumping:** The primary technique.
* **T1003.001 LSASS Memory:** Specifically targeting the `lsass.exe` process memory.
* **T1555 Credentials from Password Stores:** While `lsass.exe` stores credentials in memory, techniques to access other stored credentials can be related.
* **T1110 Brute Force:** If attackers obtain password hashes from `lsass.exe`, they might attempt to brute-force them offline.
* **T1550 Use Alternate Authentication Material:** Stolen credentials from `lsass.exe` are used for Pass-the-Hash or Pass-the-Ticket attacks for lateral movement.
Protecting the `lsass.exe` process from unauthorized access and monitoring for suspicious memory access are crucial security measures. Techniques like Credential Guard and LSA Protection aim to prevent credential theft from `lsass.exe`.
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://muhammed-hatem.gitbook.io/muhammed-hatem/summaries/core-windows-processes/system/smss.exe/wininit.exe/lsass.exe.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.