While lsass.exe is a core Windows component, malware often masquerades as this service. In this scenario you should make sure the it has the following characteristics: Image Path: %SystemRoot%\System32\lsass.exe Parent Process: wininit.exe Number of Instances: One User Account: Local System Start Time: Within seconds of boot time However, malware also leverages the legitimate lsass.exe as well. Due to its privileged access and central role in brokering authentications on a Windows system, LSASS is very commonly abused in attacks that attempt to dump credentials at some point during their attack lifecycles. The most common way to dump credentials is to dump LSASS’ memory space and look for cleartext usernames, passwords, or password hashes. Many popular credential dumping tools (e.g. Mimikatz, WCE, etc.) that make the dumping process very user friendly are still used in commodity and targeted attacks today, but there are a variety of alternative, more advanced methods that leverage this sort of username and password dumping without dropping new binaries on the victim system. The latter type of attacks tend to leverage native Windows tools such as PowerShell, CMD, and MSBuild by abusing these tools to process a supplied script or code snippet that performs similar actions to the popular all-in-one credential dumping executables.