Attack Technique

Credential Theft

Attackers rarely crack passwords in real time -- they extract hashes and reuse them directly. LSASS memory holds every credential that has touched the machine. Kerberos service tickets can be cracked offline. Stolen credentials are the keys to every door in the environment.

T1003.001 LSASS Memory T1558.003 Kerberoasting T1550.002 Pass the Hash 5 techniques

Windows LSASS process memory -- what attackers are looking for

0x0000 - 0x0FFF

LSASS.EXE process header / kernel mapping

0x1000 - 0x2FFF

NTLM credential cache -- usernames + NTLM hashes

0x3000 - 0x4FFF

Kerberos TGT cache -- domain user tickets (TGTs)

0x5000 - 0x6FFF

Digest cache -- cleartext passwords (if WDigest enabled)

0x7000+

LSA secrets, DPAPI master keys, cached domain credentials

Why LSASS is the target

LSASS holds credentials for every account that has authenticated on the machine since the last reboot -- including domain admin accounts used to remotely manage it. An attacker with local admin rights can read LSASS memory using standard Windows debugging APIs, then extract hashes that work on every other machine in the domain. No network scanning required.

Techniques -- click to expand

Each technique is a different way to acquire credentials without knowing the original password

LSASS Memory Dump

→

T1003.001

Read LSASS process memory to extract NTLM hashes, Kerberos tickets, and cleartext passwords

How it works

Any process with SeDebugPrivilege (granted to local admins) can call Windows debugging APIs (MiniDumpWriteDump, ReadProcessMemory) to read LSASS memory. Tools like Mimikatz, ProcDump, and Task Manager's "Create dump file" function all do this. The resulting dump file contains every cached credential in a format that credential parsing tools can extract.

In IRON CHIMNEY

On FINANCE-WS-01, the attacker used a reflective DLL injection to run a credential dumping tool inside a legitimate process, avoiding the LSASS-access signature. The extracted hashes included a domain admin account that had logged in remotely during a maintenance window.

Detection

Sysmon Event 10 (Process Access): a non-system process accessing LSASS with read permissions. Windows Credential Guard moves credentials out of LSASS memory entirely. Protected Process Light (PPL) prevents most debugging access. EDR behavioral detection on the access pattern is the primary signal in modern environments.

Pass the Hash (PtH)

→

T1550.002

Use an NTLM hash directly as authentication proof -- no password cracking needed

How it works

NTLM authentication works by challenging the client to prove it knows the password -- but the proof is computed from the hash, not the plaintext. An attacker who has the hash can respond to the challenge correctly without ever knowing the underlying password. This means a stolen hash authenticates to any system where that account has access, without triggering any "wrong password" events.

Example command

pth-winexe -U FICSIT/DA_account%aad3b435...:e8bea8f... //FIC-DC-01 cmd.exe

Detection

Event ID 4624 with Logon Type 3 (network) and authentication package NtLmSsp from an unexpected source. PtH from a workstation to a domain controller is almost always malicious. SIEM rules that alert on workstations accessing domain controller admin shares detect PtH in practice, even if the authentication event itself appears normal.

Kerberoasting

→

T1558.003

Request Kerberos service tickets, then crack them offline at GPU speed

How it works

In Kerberos, service tickets (TGS tickets) are encrypted with the service account's NTLM hash. Any domain user can request a TGS for any service account that has a SPN registered. The ticket can then be taken offline and cracked with tools like Hashcat -- no lockouts, no network noise during the crack, and no alerts if the service account has a weak password.

In IRON CHIMNEY

From FIC-EXCH-01, the attacker requested TGS tickets for the SQL service account (MSSQLSvc/FIC-SQL-01) and the backup service account (BackupSvc). Both cracked within hours using a wordlist + rules attack -- the passwords were "Summer2022!" and "Backup@2023".

Detection and defense

Event ID 4769 with encryption type 0x17 (RC4) -- modern environments should use AES encryption. A single host requesting many TGS tickets in rapid succession is a strong indicator. Defense: use gMSA accounts so service account passwords are uncrackable 240-character random strings.

SAM Database

→

T1003.002

Copy the local SAM hive to extract local account hashes offline

How it works

The Security Account Manager (SAM) file stores NTLM hashes for local user accounts. It is locked by the OS while running, but attackers can extract it using reg.exe save or by accessing Volume Shadow Copies. The SAM is encrypted with a key stored in the SYSTEM hive, so both files are needed. Local admin passwords are the target -- if they are the same across many machines (a common misconfiguration), one compromised machine yields access to all of them.

Detection and defense

Command: reg.exe save HKLM\\SAM sam.hive. LAPS (Local Administrator Password Solution) ensures every machine has a unique, automatically rotated local admin password, making SAM extraction much less valuable. Credential Guard prevents most LSASS-based credential theft on the same machines.

DCSync

→

T1003.006

Impersonate a domain controller to pull every hash in Active Directory

How it works

DCSync abuses the domain replication protocol. Domain controllers replicate changes to each other using a protocol (MS-DRSR) that any account with "Replicating Directory Changes" permissions can invoke. An attacker with domain admin rights -- or rights granted to a compromised service account -- can use Mimikatz's DCSync to pull the NTLM hash for any or all domain accounts, including the KRBTGT account used to forge Kerberos tickets (Golden Ticket attack).

Detection

Event ID 4662 with Object Type "Directory Service" and Access Right "Control Access" for Replicating Directory Changes. Network-level: a non-DC machine initiating DRSUAPI replication traffic to a domain controller is an extremely strong indicator. This is one of the best DCSync detection signals available.

Defending against credential theft

Layered controls -- no single defense covers all techniques

Control	What it addresses
Windows Credential Guard	Moves NTLM hashes and Kerberos tickets into an isolated virtualized environment, preventing LSASS dumping by most techniques
Protected Users group	Prevents NTLM authentication for privileged accounts, forcing Kerberos only and disabling credential caching
LAPS	Unique, rotated local admin passwords on every machine -- SAM extraction yields one machine's access, not all
gMSA accounts	240-character random service account passwords -- Kerberoasting produces an uncrackable ticket
Tiered admin model	Domain admins never log into workstations -- their hashes never appear in workstation LSASS memory
EDR Sysmon Event 10	Detects unusual LSASS access patterns in real time before hashes leave the machine

See it in foyl Learn

Where to look	What you will find
EDR / RESEARCH-STATION-01	Sysmon Event 10: LSASS access by injected process, process tree shows lateral movement chain
SIEM / INV-2024-0087	Event 4769 RC4 Kerberoasting, Event 4624 Type 3 from FINANCE-WS-01 to DC-01
IRON CHIMNEY scenario	Full credential theft timeline within the attack chain

Related concepts