Extracting Credentials from LSASS Quiz

1.Why does Windows cache credentials in the LSASS process?

• Because of a design flaw that Microsoft has not patched
• To support single sign-on — the system stores authentication material so it can authenticate to network resources on the user's behalf without re-prompting
• Because LSASS is a temporary buffer that automatically clears credentials after use
• To allow other users on the same system to share credentials

2.What privilege level is required to extract credentials from LSASS?

• Any authenticated domain user
• Local administrator or SYSTEM on the target host
• Domain Admin
• Physical access to the server

3.Why does who has logged into a system determine the value of LSASS extraction?

• Because LSASS only stores credentials for the most recently logged-in user
• Because LSASS caches credentials for every user who has recently authenticated — a server used by many administrators yields many high-value credentials, while a workstation may yield only one
• Because LSASS only stores credentials for administrative accounts
• Because the password policy determines which credentials are cached

4.What is Credential Guard, and how does it affect LSASS extraction?

• An antivirus feature that blocks Mimikatz from running
• A VBS-based protection that isolates LSASS credential material in a separate security environment, preventing standard extraction tools from reading it even with local admin access
• A Group Policy setting that prevents users from logging into multiple systems
• A password encryption feature that makes hashes uncrackable

5.Why is tiered administration a more architectural defense than endpoint protection alone?

• Because tiered administration uses stronger passwords
• Because it ensures Domain Admin credentials are only cached on Tier 0 systems (DCs), so compromising a workstation or member server cannot yield domain-level credentials
• Because tiered administration prevents all lateral movement
• Because endpoint protection cannot detect Mimikatz

6.What types of credential material can LSASS contain?

• Only NTLM password hashes
• NT hashes (for Pass the Hash), Kerberos TGTs (for Pass-the-Ticket), and in some configurations plaintext passwords (legacy WDigest)
• Only Kerberos tickets
• Encrypted credentials that must be cracked before use