Detections
Analytics
OS Credential Dumping: LSASS Memory
Description
Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).
Products, Sensors, and Dependencies
| Product | Dependencies | Data source | Access required | Protocol | Data Collected | Notes |
|---|---|---|---|---|---|---|
| Tenable Vulnerability Management | Advanced Network Scan | Windows machines | Authenticated Scan | SMB | Credential Guard | Plugin ID: 159817 |
| Tenable Vulnerability Management | Advanced Network Scan | Windows machines | Authenticated Scan | SMB | LSA Protection | Plugin ID: 159929 |
| Tenable Vulnerability Management | Advanced Network Scan | Windows machines | Authenticated Scan | SMB | Interactive logins | Plugin ID: 161502 |
References
Attack Path Technique Details
Framework: MITRE ATT&CK
Family: Credential Access
Technique: OS Credential Dumping
Sub-Technique: LSASS Memory
Platform: Windows
Products Required: Tenable Vulnerability Management
Tenable Release Date: 2022 Q2