FalconFriday — Detecting LSASS dumping with debug privileges — 0xFF1F
Credential dumping from Local Security Authority Subsystem Service
As you know, there are various ways of dumping credentials. On the endpoint, in most cases, credentials are gathered from the Local Security Authority Subsystem Service (LSASS).
Dumping credentials from the LSASS process can be done in various ways. The most straightforward way is using the Win32 API MiniDumpWriteDump . However, since this method is detected…