Extracting Credentials from LSASS Brief

What It Is

Extracting credential material from the LSASS process on a compromised host. LSASS caches authentication material for single sign-on: NT hashes, Kerberos TGTs, and in some configurations plaintext passwords. This is the bridge between host compromise and network-wide lateral movement.

Preconditions

Local administrator or SYSTEM on the target host (SeDebugPrivilege). Credential Guard must not be enabled. The attacker must have already compromised the host and escalated to local admin.

Attacker Gain

Credentials for every user who has recently authenticated to the host. NT hashes for Pass the Hash, Kerberos TGTs for Pass-the-Ticket. Impact scales with who has logged in — a workstation yields one user; a server used by many admins yields many.

Key Points

Credential caching is by design (single sign-on), not a vulnerability
Who has logged in determines the value — jump boxes and RDP gateways are highest-value targets
Credential Guard (VBS isolation) is the strongest defense
Tiered administration limits what credentials are cached at each tier
Memory dump approach may evade endpoint detection vs live reading

Stakeholder Explanation

When employees log into a computer, their credentials are stored in memory for convenience. An attacker with admin access can read those credentials and use them to log into other systems as those employees. If admins log into workstations, their credentials are exposed there. Defenses: Credential Guard, tiered administration, LSASS access monitoring.

Report Phrasing

Finding: Credential Extraction from LSASS. The operator gained local admin on [host] and extracted credentials from LSASS. Recovered: [N] NT hashes and [N] Kerberos TGTs, including [privileged account]. Used for [lateral movement technique] to [target]. Credential Guard not enabled. Severity: Critical. Recommendation: Enable Credential Guard. Implement tiered administration. Monitor LSASS access.