Esc
LSASS Memory - T1003.001
(ATT&CK® Technique)
Definition
Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct Lateral Movement using Use Alternate Authentication Material.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR; T1003001["LSASS Memory"] --> |accesses| Process["Process"]; class T1003001 OffensiveTechniqueNode; class Process ArtifactNode; click Process href "/dao/artifact/d3f:Process"; click T1003001 href "/offensive-technique/attack/T1003.001/"; click Process href "/dao/artifact/d3f:Process"; T1003001["LSASS Memory"] --> |accesses| AuthenticationService["Authentication Service"]; class T1003001 OffensiveTechniqueNode; class AuthenticationService ArtifactNode; click AuthenticationService href "/dao/artifact/d3f:AuthenticationService"; click T1003001 href "/offensive-technique/attack/T1003.001/"; click AuthenticationService href "/dao/artifact/d3f:AuthenticationService"; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] --> | isolates | Process["Process"]; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -.-> | May Isolate | T1003001["LSASS Memory"] ; class Hardware-basedProcessIsolation DefensiveTechniqueNode; class Process ArtifactNode; click Hardware-basedProcessIsolation href "/technique/d3f:Hardware-basedProcessIsolation"; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] --> | isolates | AuthenticationService["Authentication Service"]; class Hardware-basedProcessIsolation DefensiveTechniqueNode; class AuthenticationService ArtifactNode; click Hardware-basedProcessIsolation href "/technique/d3f:Hardware-basedProcessIsolation"; ProcessTermination["Process Termination"] --> | terminates | Process["Process"]; ProcessTermination["Process Termination"] -.-> | May Evict | T1003001["LSASS Memory"] ; class ProcessTermination DefensiveTechniqueNode; class Process ArtifactNode; click ProcessTermination href "/technique/d3f:ProcessTermination"; ProcessTermination["Process Termination"] --> | terminates | AuthenticationService["Authentication Service"]; class ProcessTermination DefensiveTechniqueNode; class AuthenticationService ArtifactNode; click ProcessTermination href "/technique/d3f:ProcessTermination"; HostShutdown["Host Shutdown"] --> | terminates | Process["Process"]; HostShutdown["Host Shutdown"] -.-> | May Evict | T1003001["LSASS Memory"] ; class HostShutdown DefensiveTechniqueNode; class Process ArtifactNode; click HostShutdown href "/technique/d3f:HostShutdown"; HostShutdown["Host Shutdown"] --> | terminates | AuthenticationService["Authentication Service"]; class HostShutdown DefensiveTechniqueNode; class AuthenticationService ArtifactNode; click HostShutdown href "/technique/d3f:HostShutdown"; ProcessSelf-ModificationDetection["Process Self-Modification Detection"] --> | analyzes | Process["Process"]; ProcessSelf-ModificationDetection["Process Self-Modification Detection"] -.-> | May Detect | T1003001["LSASS Memory"] ; class ProcessSelf-ModificationDetection DefensiveTechniqueNode; class Process ArtifactNode; click ProcessSelf-ModificationDetection href "/technique/d3f:ProcessSelf-ModificationDetection"; ProcessSelf-ModificationDetection["Process Self-Modification Detection"] --> | analyzes | AuthenticationService["Authentication Service"]; class ProcessSelf-ModificationDetection DefensiveTechniqueNode; class AuthenticationService ArtifactNode; click ProcessSelf-ModificationDetection href "/technique/d3f:ProcessSelf-ModificationDetection"; ProcessSpawnAnalysis["Process Spawn Analysis"] --> | analyzes | Process["Process"]; ProcessSpawnAnalysis["Process Spawn Analysis"] -.-> | May Detect | T1003001["LSASS Memory"] ; class ProcessSpawnAnalysis DefensiveTechniqueNode; class Process ArtifactNode; click ProcessSpawnAnalysis href "/technique/d3f:ProcessSpawnAnalysis"; ProcessSpawnAnalysis["Process Spawn Analysis"] --> | analyzes | AuthenticationService["Authentication Service"]; class ProcessSpawnAnalysis DefensiveTechniqueNode; class AuthenticationService ArtifactNode; click ProcessSpawnAnalysis href "/technique/d3f:ProcessSpawnAnalysis"; ProcessSuspension["Process Suspension"] --> | suspends | Process["Process"]; ProcessSuspension["Process Suspension"] -.-> | May Evict | T1003001["LSASS Memory"] ; class ProcessSuspension DefensiveTechniqueNode; class Process ArtifactNode; click ProcessSuspension href "/technique/d3f:ProcessSuspension"; ProcessSuspension["Process Suspension"] --> | suspends | AuthenticationService["Authentication Service"]; class ProcessSuspension DefensiveTechniqueNode; class AuthenticationService ArtifactNode; click ProcessSuspension href "/technique/d3f:ProcessSuspension"; ProcessLineageAnalysis["Process Lineage Analysis"] --> | analyzes | AuthenticationService["Authentication Service"]; ProcessLineageAnalysis["Process Lineage Analysis"] -.-> | May Detect | T1003001["LSASS Memory"] ; class ProcessLineageAnalysis DefensiveTechniqueNode; class AuthenticationService ArtifactNode; click ProcessLineageAnalysis href "/technique/d3f:ProcessLineageAnalysis"; ProcessLineageAnalysis["Process Lineage Analysis"] --> | analyzes | Process["Process"]; class ProcessLineageAnalysis DefensiveTechniqueNode; class Process ArtifactNode; click ProcessLineageAnalysis href "/technique/d3f:ProcessLineageAnalysis"; MandatoryAccessControl["Mandatory Access Control"] --> | isolates | Process["Process"]; MandatoryAccessControl["Mandatory Access Control"] -.-> | May Isolate | T1003001["LSASS Memory"] ; class MandatoryAccessControl DefensiveTechniqueNode; class Process ArtifactNode; click MandatoryAccessControl href "/technique/d3f:MandatoryAccessControl"; MandatoryAccessControl["Mandatory Access Control"] --> | isolates | AuthenticationService["Authentication Service"]; class MandatoryAccessControl DefensiveTechniqueNode; class AuthenticationService ArtifactNode; click MandatoryAccessControl href "/technique/d3f:MandatoryAccessControl"; HostReboot["Host Reboot"] --> | terminates | AuthenticationService["Authentication Service"]; HostReboot["Host Reboot"] -.-> | May Evict | T1003001["LSASS Memory"] ; class HostReboot DefensiveTechniqueNode; class AuthenticationService ArtifactNode; click HostReboot href "/technique/d3f:HostReboot"; HostReboot["Host Reboot"] --> | terminates | Process["Process"]; class HostReboot DefensiveTechniqueNode; class Process ArtifactNode; click HostReboot href "/technique/d3f:HostReboot";