Detecting LSASS dumping with debug privileges

0
24

FalconFriday — Detecting LSASS dumping with debug privileges — 0xFF1F

Credential dumping from Local Security Authority Subsystem Service

As you know, there are various ways of dumping credentials. On the endpoint, in most cases, credentials are gathered from the Local Security Authority Subsystem Service (LSASS).

Dumping credentials from the LSASS process can be done in various ways. The most straightforward way is using the Win32 API MiniDumpWriteDump . However, since this method is detected…

Read More