Author: Microsoft
Source: Wild
Lsass.exe is the Local Security Authority Subsystem Service (LSASS) and is responsible for enforcing the security policy for the system. It handles password changes and verifies users logging into Windows.
EchoTrail Prevalence Score (EPS)
Rank Analysis
Host Prevalence
Execution Rank
Behavioral Analysis
Top Filenames
Top Paths
99.88 %
Top Network Ports
36.30 %
Ancestry Analysis
Top GrandParents
Top Parents
Top Children
Security Analysis
While lsass.exe is a core Windows component, malware often masquerades as this service. In this scenario you should make sure the it has the following characteristics: Image Path: %SystemRoot%\System32\lsass.exe Parent Process: wininit.exe Number of Instances: One User Account: Local System Start Time: Within seconds of boot time However, malware also leverages the legitimate lsass.exe as well. Due to its privileged access and central role in brokering authentications on a Windows system, LSASS is very commonly abused in attacks that attempt to dump credentials at some point during their attack lifecycles. The most common way to dump credentials is to dump LSASS’ memory space and look for cleartext usernames, passwords, or password hashes. Many popular credential dumping tools (e.g. Mimikatz, WCE, etc.) that make the dumping process very user friendly are still used in commodity and targeted attacks today, but there are a variety of alternative, more advanced methods that leverage this sort of username and password dumping without dropping new binaries on the victim system. The latter type of attacks tend to leverage native Windows tools such as PowerShell, CMD, and MSBuild by abusing these tools to process a supplied script or code snippet that performs similar actions to the popular all-in-one credential dumping executables.