Esc
LSASS Memory - T1003.001
(ATT&CK® Technique)
Definition
Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct Lateral Movement using Use Alternate Authentication Material.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR; T1003001["LSASS Memory"] --> |accesses| Process["Process"]; class T1003001 OffensiveTechniqueNode; class Process ArtifactNode; click Process href "/dao/artifact/d3f:Process"; click T1003001 href "/offensive-technique/attack/T1003.001/"; click Process href "/dao/artifact/d3f:Process"; T1003001["LSASS Memory"] --> |accesses| AuthenticationService["Authentication Service"]; class T1003001 OffensiveTechniqueNode; class AuthenticationService ArtifactNode; click AuthenticationService href "/dao/artifact/d3f:AuthenticationService"; click T1003001 href "/offensive-technique/attack/T1003.001/"; click AuthenticationService href "/dao/artifact/d3f:AuthenticationService"; ProcessSelf-ModificationDetection["Process Self-Modification Detection"] --> | analyzes | Process["Process"]; ProcessSelf-ModificationDetection["Process Self-Modification Detection"] -.-> | may-detect | T1003001["LSASS Memory"] ; class ProcessSelf-ModificationDetection DefensiveTechniqueNode; class Process ArtifactNode; click ProcessSelf-ModificationDetection href "/technique/d3f:ProcessSelf-ModificationDetection"; ProcessSelf-ModificationDetection["Process Self-Modification Detection"] --> | analyzes | AuthenticationService["Authentication Service"]; class ProcessSelf-ModificationDetection DefensiveTechniqueNode; class AuthenticationService ArtifactNode; click ProcessSelf-ModificationDetection href "/technique/d3f:ProcessSelf-ModificationDetection"; ProcessSpawnAnalysis["Process Spawn Analysis"] --> | analyzes | Process["Process"]; ProcessSpawnAnalysis["Process Spawn Analysis"] -.-> | may-detect | T1003001["LSASS Memory"] ; class ProcessSpawnAnalysis DefensiveTechniqueNode; class Process ArtifactNode; click ProcessSpawnAnalysis href "/technique/d3f:ProcessSpawnAnalysis"; ProcessSpawnAnalysis["Process Spawn Analysis"] --> | analyzes | AuthenticationService["Authentication Service"]; class ProcessSpawnAnalysis DefensiveTechniqueNode; class AuthenticationService ArtifactNode; click ProcessSpawnAnalysis href "/technique/d3f:ProcessSpawnAnalysis"; ProcessSuspension["Process Suspension"] --> | suspends | Process["Process"]; ProcessSuspension["Process Suspension"] -.-> | may-evict | T1003001["LSASS Memory"] ; class ProcessSuspension DefensiveTechniqueNode; class Process ArtifactNode; click ProcessSuspension href "/technique/d3f:ProcessSuspension"; ProcessSuspension["Process Suspension"] --> | suspends | AuthenticationService["Authentication Service"]; class ProcessSuspension DefensiveTechniqueNode; class AuthenticationService ArtifactNode; click ProcessSuspension href "/technique/d3f:ProcessSuspension"; HostShutdown["Host Shutdown"] --> | terminates | Process["Process"]; HostShutdown["Host Shutdown"] -.-> | may-evict | T1003001["LSASS Memory"] ; class HostShutdown DefensiveTechniqueNode; class Process ArtifactNode; click HostShutdown href "/technique/d3f:HostShutdown"; ProcessTermination["Process Termination"] --> | terminates | Process["Process"]; ProcessTermination["Process Termination"] -.-> | may-evict | T1003001["LSASS Memory"] ; class ProcessTermination DefensiveTechniqueNode; class Process ArtifactNode; click ProcessTermination href "/technique/d3f:ProcessTermination"; ProcessTermination["Process Termination"] --> | terminates | AuthenticationService["Authentication Service"]; class ProcessTermination DefensiveTechniqueNode; class AuthenticationService ArtifactNode; click ProcessTermination href "/technique/d3f:ProcessTermination"; HostShutdown["Host Shutdown"] --> | terminates | AuthenticationService["Authentication Service"]; class HostShutdown DefensiveTechniqueNode; class AuthenticationService ArtifactNode; click HostShutdown href "/technique/d3f:HostShutdown"; SystemCallFiltering["System Call Filtering"] --> | isolates | AuthenticationService["Authentication Service"]; SystemCallFiltering["System Call Filtering"] -.-> | may-isolate | T1003001["LSASS Memory"] ; class SystemCallFiltering DefensiveTechniqueNode; class AuthenticationService ArtifactNode; click SystemCallFiltering href "/technique/d3f:SystemCallFiltering"; SystemCallFiltering["System Call Filtering"] --> | isolates | Process["Process"]; class SystemCallFiltering DefensiveTechniqueNode; class Process ArtifactNode; click SystemCallFiltering href "/technique/d3f:SystemCallFiltering"; Kernel-basedProcessIsolation["Kernel-based Process Isolation"] --> | isolates | Process["Process"]; Kernel-basedProcessIsolation["Kernel-based Process Isolation"] -.-> | may-isolate | T1003001["LSASS Memory"] ; class Kernel-basedProcessIsolation DefensiveTechniqueNode; class Process ArtifactNode; click Kernel-basedProcessIsolation href "/technique/d3f:Kernel-basedProcessIsolation"; Kernel-basedProcessIsolation["Kernel-based Process Isolation"] --> | isolates | AuthenticationService["Authentication Service"]; class Kernel-basedProcessIsolation DefensiveTechniqueNode; class AuthenticationService ArtifactNode; click Kernel-basedProcessIsolation href "/technique/d3f:Kernel-basedProcessIsolation"; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] --> | isolates | Process["Process"]; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -.-> | may-isolate | T1003001["LSASS Memory"] ; class Hardware-basedProcessIsolation DefensiveTechniqueNode; class Process ArtifactNode; click Hardware-basedProcessIsolation href "/technique/d3f:Hardware-basedProcessIsolation"; Application-basedProcessIsolation["Application-based Process Isolation"] --> | isolates | Process["Process"]; Application-basedProcessIsolation["Application-based Process Isolation"] -.-> | may-isolate | T1003001["LSASS Memory"] ; class Application-basedProcessIsolation DefensiveTechniqueNode; class Process ArtifactNode; click Application-basedProcessIsolation href "/technique/d3f:Application-basedProcessIsolation"; Application-basedProcessIsolation["Application-based Process Isolation"] --> | isolates | AuthenticationService["Authentication Service"]; class Application-basedProcessIsolation DefensiveTechniqueNode; class AuthenticationService ArtifactNode; click Application-basedProcessIsolation href "/technique/d3f:Application-basedProcessIsolation"; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] --> | isolates | AuthenticationService["Authentication Service"]; class Hardware-basedProcessIsolation DefensiveTechniqueNode; class AuthenticationService ArtifactNode; click Hardware-basedProcessIsolation href "/technique/d3f:Hardware-basedProcessIsolation"; ProcessLineageAnalysis["Process Lineage Analysis"] --> | analyzes | Process["Process"]; ProcessLineageAnalysis["Process Lineage Analysis"] -.-> | may-detect | T1003001["LSASS Memory"] ; class ProcessLineageAnalysis DefensiveTechniqueNode; class Process ArtifactNode; click ProcessLineageAnalysis href "/technique/d3f:ProcessLineageAnalysis"; ProcessLineageAnalysis["Process Lineage Analysis"] --> | analyzes | AuthenticationService["Authentication Service"]; class ProcessLineageAnalysis DefensiveTechniqueNode; class AuthenticationService ArtifactNode; click ProcessLineageAnalysis href "/technique/d3f:ProcessLineageAnalysis"; HostReboot["Host Reboot"] --> | terminates | Process["Process"]; HostReboot["Host Reboot"] -.-> | may-evict | T1003001["LSASS Memory"] ; class HostReboot DefensiveTechniqueNode; class Process ArtifactNode; click HostReboot href "/technique/d3f:HostReboot"; HostReboot["Host Reboot"] --> | terminates | AuthenticationService["Authentication Service"]; class HostReboot DefensiveTechniqueNode; class AuthenticationService ArtifactNode; click HostReboot href "/technique/d3f:HostReboot"; WebSessionAccessMediation["Web Session Access Mediation"] --> | isolates | AuthenticationService["Authentication Service"]; WebSessionAccessMediation["Web Session Access Mediation"] -.-> | may-isolate | T1003001["LSASS Memory"] ; class WebSessionAccessMediation DefensiveTechniqueNode; class AuthenticationService ArtifactNode; click WebSessionAccessMediation href "/technique/d3f:WebSessionAccessMediation";