BCY-ADV-2026-008 TECHNIQUE

LSASS Credential Dumping — Mimikatz
MITRE T1003.001 · Password Hash Extraction · LSASS PPL Mitigation

MITRE T1003.001LSASSMimikatzCredential DumpingPPLBYOVDWindows

Prepared by Warren Barr · Barr Cyber LLC · barr-cyber.com · May 2026

What This Is

The Local Security Authority Subsystem Service (LSASS) handles Windows authentication and stores credential material in memory — including NTLM hashes, Kerberos tickets, and in some configurations plaintext passwords. Tools like Mimikatz directly read LSASS memory to extract these credentials. With extracted hashes, an attacker can authenticate as any user whose credentials are cached — without knowing the plaintext password — and move laterally across the network.

LSASS credential dumping is present in virtually every modern intrusion. It is the standard post-exploitation technique used after initial access to pivot from a single workstation compromise to full network breach.

Technique Details

MITRE ATT&CK: T1003.001 — OS Credential Dumping: LSASS Memory
Primary Tool: Mimikatz (sekurlsa::logonpasswords)
Other Tools: ProcDump, Task Manager dump, comsvcs.dll MiniDump, CrackMapExec
No CVE: Technique exploiting legitimate LSASS memory access
Mitigation: LSASS Protected Process Light (PPL) — blocks commodity tools. BYOVD bypasses exist for advanced attackers.

How It Works

LSASS runs as a protected process but historically allowed any process with SeDebugPrivilege (administrators have this by default) to open a handle and read its memory. Mimikatz uses this to extract credential material including NTLMv1 hashes (crackable), NTLMv2 hashes (crackable or relayable), Kerberos TGTs (usable for pass-the-ticket attacks), and in WDigest-enabled configurations, plaintext passwords.

LSASS PPL (Protected Process Light) prevents non-protected processes from opening LSASS. Advanced attackers bypass PPL by loading a vulnerable signed driver (BYOVD — Bring Your Own Vulnerable Driver) to gain kernel-level access. This requires additional tooling, elevated privileges, and substantially increases detection surface.

Detection

Verify LSASS PPL is enabled (PowerShell):

Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name RunAsPPL -ErrorAction SilentlyContinue

# Safe result: RunAsPPL : 1

Verify WDigest is disabled (prevents plaintext password caching):

Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" ` -Name UseLogonCredential -ErrorAction SilentlyContinue

# Safe result (0 = disabled): UseLogonCredential : 0

Windows Defender detection for Mimikatz:

Get-MpThreatDetection | Where-Object {$_.ThreatName -like "*Mimikatz*"} | Select-Object ThreatName, InitialDetectionTime, ActionSuccess

Event log — LSASS access attempts:

# Event ID 4656 — Handle to LSASS requested # Event ID 10 (Sysmon) — Process accessed lsass.exe # Requires Sysmon installed for Event ID 10 Get-WinEvent -FilterHashtable @{LogName='Security';Id=4656} | Where-Object {$_.Message -match "lsass"} | Select-Object TimeCreated, Message | Format-List

IOCs

Process sekurlsa.dll loaded into lsass.exe memory Tool mimikatz.exe, mimilib.dll, procdump.exe targeting lsass LSASS Dump %TEMP%\lsass.dmp or lsass.DMP in various locations Command procdump -ma lsass.exe lsass.dmp Command comsvcs.dll MiniDump LSASS_PID lsass.dmp full Sysmon Event 10 ProcessAccess to lsass.exe from unexpected process Event ID 4656 Handle request to lsass.exe with PROCESS_VM_READ access BYOVD Vulnerable signed drivers (e.g., RTCore64.sys) in temp directories

Mitigation — PowerShell Commands

Step 1 — Enable LSASS Protected Process Light (requires reboot):

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v RunAsPPL /t REG_DWORD /d 1 /f

Step 2 — Disable WDigest to prevent plaintext password caching:

reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" /v UseLogonCredential /t REG_DWORD /d 0 /f

Step 3 — Enable Credential Guard (Windows 10/11 Enterprise — strongest mitigation):

reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v EnableVirtualizationBasedSecurity /t REG_DWORD /d 1 /f reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v LsaCfgFlags /t REG_DWORD /d 1 /f

Step 4 — Reboot and verify PPL active:

Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name RunAsPPL # Expected: RunAsPPL : 1

Note on BYOVD: PPL blocks commodity tools like Mimikatz. Determined attackers with a vulnerable signed driver can bypass PPL. This requires loading the driver (elevated privileges), increases detection surface significantly, and is substantially more complex. For most threat models, PPL + WDigest disabled + Credential Guard is the appropriate defense stack.

Sources

— MITRE ATT&CK — T1003.001 LSASS Memory
— Mimikatz (gentilkiwi)
— Microsoft — Configuring Additional LSA Protection

BCY-ADV-2026-008 · Published May 2026 · Barr Cyber LLC · Kalispell, MT

Questions? warren@barr-cyber.com

Barr Cyber — Endpoint Hardening & System Configuration

LSASS PPL is enabled and verified in every Barr Cyber endpoint build. The BYOVD caveat is documented honestly — PPL blocks commodity tools and significantly raises the cost of credential dumping.

Get in Touch →

← LLMNR Poisoning All Advisories Next — Pass-the-Hash via RDP →

LSASS Credential Dumping — MimikatzMITRE T1003.001 · Password Hash Extraction · LSASS PPL Mitigation

LSASS Credential Dumping — Mimikatz
MITRE T1003.001 · Password Hash Extraction · LSASS PPL Mitigation