An adversary can harvest credentials from the Local Security Authority Subsystem Service (LSASS) process in memory once they have administrative or SYSTEM privileges.
Credential Dumping is MITRE ATT&CK Technique T1003.
This post provides the steps to configure Sysmon to log processes accessing the
lsass.exe process. Once this logging is configured, you can monitor for suspicious processes accessing
lsass.exe, which could be indicative of credential dumping activity.
Install and Configure Sysmon
Download Sysmon: https://technet.microsoft.com/en-us/sysinternals/sysmon
Create a file named
sysmon_config.xml and copy the configuration below into the file.
Install Sysmon using the configuration file you created:
sysmon64.exe -i .\sysmon_config.xml
Validate that the configuration has been applied by dumping the current sysmon configuration:
Dump Passwords From Memory Using Mimikatz
To test the Sysmon Process Access logging, dump passwords from memory using Mimikatz.
PS C:\Users\fmfx009\Downloads\mimikatz_trunk\x64> .\mimikatz.exe
Review Sysmon Event Logs for Mimikatz Usage
Access the Sysmon logs via the Event Viewer under
Microsoft-Windows-Sysmon/Operational or use the filtering features of Event Log Explorer.
Apply a filter to view all events with Event ID
You should see evidence of SourceImage:
lsass.exe accessing TargetImage:
mimikatz.exe. You should also see evidence of SourceImage:
mimikatz.exe accessing TargetImage: