Skip to content

Horizon3.ai Docs

H3-2021-0044

Horizon3.ai Docs

Home
Quickstart
Quickstart
- Setup NodeZero Host
  Setup NodeZero Host
- Run an Internal Pentest
  Run an Internal Pentest
Portal
Portal
- Test Types
  Test Types
  - Internal Pentest
    
    Internal Pentest
  - External Pentest
    
    External Pentest
    
    Create an Asset Group
    
    Run Asset Discovery
    
    Authorize Assets
    
    Run External Pentest
  - AWS Pentest
    
    AWS Pentest
  - Azure Entra ID
    
    Azure Entra ID
  - AD Password Audit
    
    AD Password Audit
  - Segmentation Test
    
    Segmentation Test
  - Phishing Test
    
    Phishing Test
    
    The NodeZero Phishing Script
  - Rapid Response
    
    Rapid Response
    
    Alerts
    
    Alerts
    
    Rapid Response Activity Cards
    
    Rapid Response Activity Cards
    
    Targeted Tests
    
    Targeted Tests
  - 1-Click Verify
    
    1-Click Verify
- Portal Settings
  Portal Settings
  - Set a Proxy
    
    Set a Proxy
  - Email Notifications
    
    Email Notifications
  - Pentest Templates
    
    Pentest Templates
  - User Management
    
    User Management
  - Client Management
    
    Client Management
  - Single Sign-On (SSO)
    
    Single Sign-On (SSO)
  - IDentity Provider (IdP) Guides
    
    IDentity Provider (IdP) Guides
    
    Azure
    
    Okta
- Features
  Features
  - Attack Configuration
    
    Attack Configuration
    
    Remote Access Tool
  - BloodHound
    
    BloodHound
  - Injecting Credentials
    
    Injecting Credentials
    
    Injecting an AWS Role
    
    Injecting an Azure MFA Credential
  - Schedules
    
    Schedules
  - Co-Branding
    
    Co-Branding
Tripwires
Tripwires
- Getting Started
- Management
- Alerts
- Settings
  Settings
CLI
CLI
- Getting Started
- Guides
  Guides
API
API
- API Reference
  API Reference
Release Notes
Release Notes
- 2024.10
- 2024.09
- 2024.08
- 2024.07
- 2024.06
- 2024.05
- 2024.04
- 2024.03
- 2024.02
- 2024.01
Downloads
Downloads
- NodeZero Host VM (OVA/VHD)
  NodeZero Host VM (OVA/VHD)
  - N0 utility
- Host Check Script
- Splunk App
- Ubuntu Setup Script
Knowledge Base
Knowledge Base
- NodeZero Modules
  NodeZero Modules
  - Cyanide
    
    Cyanide
- Glossary
  Glossary
- Sensitive Data
  Sensitive Data
- Weaknesses
  Weaknesses
- Exposure Score

H3-2021-0044

Credential Dumping - Local Security Authority Subsystem Service (LSASS) Memory


Category	`SECURITY_CONTROLS`
Base Score	`7.2`

Description

The Local Security Authority Subsystem Service (LSASS) is a Windows process that caches credential material in memory for users with active Windows sessions. Attackers with administrative privileges can extract these credentials from LSASS process memory using a variety of tools such as Mimikatz, procdump, and LaZagne.

Impact

Attackers who obtain cleartext credentials or NTLM hashes from LSASS memory can directly login with those credentials. Domain user credentials can be used to move laterally across the Active Directory environment. Attackers can also exploit password re-use to move laterally.

References