Powered by MukeshLPM
securing lsass 1

Securing LSASS – Controls to Minimise Attack Surface – EMS Route

by

[ad_1]

LSASS, one of the most important pieces in an OS – say Windows 11, and one of the pieces that a threat actors are very tempted to keep their hands on. LSASS – Local Security Authority Subsystem Service, the process which is responsible for handling authentication, logon and security policies on Windows.

Often, organizations don’t pay attention to this component specifically, because the general understanding is, by having my AV, EDR or XDR will protect it for me. Yes and No. What we are looking for is securing the process Proactively rather than reactively. No, the AV alone will not protect it, but with the help of the EDR or XDR and a watchful eye!

TL;DR:

  • A quick 101 to LSASS and Lateral Movement
  • Controls to Minimise Attack Surface
  • Detecting suspicious behaviour
  1. TL;DR:
  2. Where is LSASS Running From? Why it’s a Noisy Process? Why It’s So Important?
  3. Attack Kill-Chain
    1. Initial Access
    2. From the Field
    3. From that Point Onwards
    4. Pass-the-Hash (PtH)
    5. Other Activities
  4. Working with Noise Vs. Signal
  5. Controls to Minimise Attack Surface
    1. Control: Implementing LAPS
    2. Control: Microsoft Defender ASR Rule to Block Credentials Stealing
    3. Control: Enabling LSA Protection
    4. How ASR Rule Differs from LSA Protection Policy?
    5. Control: Credentials Guard
    6. Control: Check an configure Network Security LAN Manager Authentication Level
    7. Control: Enable Block Potentially Unwanted Applications
  6. Detecting Suspicious Behaviour
  7. Wrapping Up

Where is LSASS Running From? Why it’s a Noisy Process? Why It’s So Important?

If you are not familiar with LSASS, this process is basically sitting in any Windows OS, including client versions as well. If you go to Task Manager, clearly LSASS can be seen as below.

image 2
image 4

Typically, this process is a bit noisy – Because as mentioned earlier, legitimate applications and processes accesses LSASS and also this check and validates the domain policies for the user who has logged in as well. As these processes happens, Security Logs are getting generated frequently as well.

Apart from that, this always validates the logon details in Logon/ Logoff events. Checks for Kerberos ticket activities (ticket expiry, automatic renewal etc.), SSO activity that for Entra apps. So to speak, this is the identity hub of the OS. – This explains why this process is important at the same time and to highlight the case, these events will generate all day in all Windows endpoints.

Example Event: 4624 – A typical Successful Login

image 3

Example event 4672 – Special privileges assigned to new logon

image 5

So now you know how important LSASS process in the OS is and why you need to protect it.

Attack Kill-Chain

Initial Access → Credential Access (e.g., credential dumping) → Privilege Escalation → Lateral Movement → Goal / Action on Objectives (data theft, persistence, domain compromise).

Initial Access

Stolen VPN credentials, Phishing emails can be the initial access gateway.

From the Field

I have seen a phishing email where it says your Chrome Browser is outdated, click link to update now. This will install a Chrome browser extension that downloads CobaltStrike to the user’s system.

From that Point Onwards

Typically, the LSASS process stores the credential material as discussed, and it is important to understand the TTPs (Tactics, Techniques and Procedures) used here. This sort of technique is called OS Credential Dumping (T1003). And these will be used to move laterally by using other sub-techniques until they gain the required privileged access in the environment. An advisory may use other techniques like Pass-the-hash, Pass-the-ticket to replay authentication without having a user to go through the authentication scenario, or to extract cleartext passwords if they have any and use it in systems.

Procdump, Mimikatz, Cobaltstrike are some of the popular tools or procedures advisories are using for credential dump as well as run the techniques by impersonating the user.

Pass-the-Hash (PtH)

Attackers extract an account’s NT hash from a credential dump (LSASS in this case, and also from SAM / NTDS) and reuse that hash to authenticate over NTLM (Pass-the-Hash), then move laterally using remote services (SMB/RDP/WinRM), repeating dumping and reuse along the kill-chain until they reach the privileged accounts they need. If NTLM (especially NTLMv1) is allowed, the protocol can be abused; mitigations and monitoring are required to stop it.

Other Activities

Pass the Ticket – Extracting the Kerberos TGTs in the LSASS memory to replay on a different system.

PlainText Passwrods – Can be used to accesses services like RDP, VPN, Web Portals etc.

LSA Secrets – Cached Service account credentials, Local Admin Passwords, DPAI (Data Protection API) keys that can be used to decrypt certificates, private keys, WiFi keys etc.

Working with Noise Vs. Signal

While most standard events need to happen by default in-order to get OS to work, it will generate a lot of events and noise in monitoring systems. This itself is an opportunity for the threat actors, as they can use techniques to sneak into a system and start to moving laterally until they reach crown jewel systems and services. Domain Controllers, Databases, Privileged Accounts, Sensitive apps etc.

Detection of suspicious behavior is essential as threat signals may float in the wild and the guard rails must be implemented to capture those with proper attention to details. Some of the detections can be,

  • Same admin account was used in many endpoints at the same time – No LAPS in use.
  • Sudden spike in NTLM authentication events or repeated authentication failures followed by success.
  • Non-DC hosts suddenly talking to DCs with DRS/RPC or LDAP requests they normally don’t make.
  • Privileged account (Domain Admin) network logon from endpoint.

As Cybersecurity professionals, it is important to implement the necessary controls to mitigate these activities in the environment, minimise the attack surface and close gaps, making sure advisories are unable to reach the crown jewels and the necessary detections of the suspicious activities.

Attackers Gain Control of the Poor Posture!
I’m discussing about the controls you can implement today, how these controls go hand-in-hand and how where to implement the controls from.

Controls to Minimise Attack Surface

Control: Implementing LAPS

This is a no brainer as to why you need to implement LAPS. As I mentioned earlier, in a Pass-the-Hash situation, attacker may use the same local admin password extracted from one system, just to see if that works on a different system to exploit its services. If you don’t have a proper method to control Local Admin passwords, you MUST re-think the security posture and make necessary arrangements to implement LAPS. This will rotate the password/ admin username and use unique passwords throughout the fleet.

Control: Microsoft Defender ASR Rule to Block Credentials Stealing

ASR Rule: Block credential stealing from the Windows local security authority subsystem (lsass.exe) GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2

Enabling this control on the Windows endpoints can help you to quickly take control of the LSASS process. As this is making some expected noise, it is recommended to leave this rule in the Audit mode for a bit to make sure you are aware of the process that’s accessing LSASS. In this way, making necessary exceptions if needed to trust some processes that comes from other apps or services.

From Microsoft:
Important: This rule is designed to block the processes from accessing LSASS.EXE process memory. It doesn’t block them from running. If you see processes like svchost.exe being blocked, it’s only blocking from accessing LSASS process memory.

Where to enable this?

Microsoft Intune Endpoint Security section as shown below, Defender XDR’s Endpoint Configuration section, GPOs

image 9

Control: Enabling LSA Protection

This feature can prevent nonprotected processes from accessing the LSASS memorry by checking for few things when a plug-in loads.

  • Signature: LSA Plugin to be digitally signed to with a Microsoft Signature.
  • Adherrence to Microsoft SDLC: plugin must conform to the applicable SDL process guidelines

Tamper Protetction to LSA Protetction settings via UEFI Lock

Additonal Protetction via UEFI lock – This provides added protetction to the above functions by writing the requirements to the firmware. Once written, even if the settings in the OS changed (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa) the protetction will not be tampered.

Microsoft Inutne > Configueration > Windows > Settings Catalog, will have the setting options.

image 13

To determine whether LSA starts in protected mode when Windows starts, take the following steps:

  1. Open Event Viewer.
  2. Expand Windows Logs > System.
  3. Look for the following WinInit event: 12: LSASS.exe was started as a protected process with level: 4

Enabling LSA Protection == Setting LSASS ASR Rule in Block mode

Note: Defender Credential Guard can’t be implemented if you have custom Smart Card Drivers and/ or applications that maybe legacy that loads into the LSA process. This can be the same when enabling LSA Protetction sesttings as this will be for the whole OS. This can be a good opportunity to the threat actors to launch their malware campaigns to be successful along with the tools like Mimikatz. Make sure you have at least enabled the ASR rule to prevent access to LSASS memory.

But there are some distinctions between the 2 controls.

How ASR Rule Differs from LSA Protection Policy?

Feature ASR Rule: Block LSASS Credential Theft LSA Protection (RunAsPPL)
Scope Blocks suspicious access attempts to LSASS Runs LSASS as a protected process
Enforcement Based on Defender’s behavioral rules OS-level protection
Compatibility May allow exceptions for trusted apps with rule exceptions Strict – only signed, trusted processes can access LSASS

Control: Credentials Guard

Enabling Credentials Guard will complement LSA Protetction settings. Credential Guard prevents credential theft attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets (TGTs), and credentials stored by applications as domain credentials.

How to enable?

Windows 11, 22H2 and Windows Server 2025, VBS and Credential Guard are enabled by default on devices that meet the requirements. Default behaviour will not wite to firmware (UEFI), however this can be changed later.

When enabled, Kerberos service tickets aren’t protected by Credential Guard, but the Kerberos Ticket Granting Ticket (TGT) is protected.

Where to enable from: Microsoft Inutne > Configueration > Windows > Settings Catalog, will have the setting options.

image 14

It is good to understand the Credential Guard Protetction Limits when you are enabling the feature.

Control: Check an configure Network Security LAN Manager Authentication Level

Caution: This can affect of any legacy apps that has NTLMv1 as after setting this to send NTLMv2 responses only, it will fail for NTLMv1 challendes sent by the apps.

Where to enable this?

Microsoft Intune > Security Baelines > Security Baselin for Windows 10 and later

image 15

Control: Enable Block Potentially Unwanted Applications

Blocking PUAs are good practice regarless, but in this case, it will restrict the device fom accessing unsigned and unsafe applications.

Where to enable this?

Microsoft Intune > Endpoint Security > Antivirus

image 16

Detecting Suspicious Behaviour

While the above controls minimise the attack surface, detecting suspicious behaviour is equally important. Understanding the threat signals, anomalies and behaviour in accounts and devices can lead to investigations and incident mitigation sooner rather than later. In this blog I’m not going to showcase on creating workbooks or construct KQL queries, but to show what things you should add into the analysis tasks.

The trigger here is, if you are monitoring the event IDs, most of the event IDs may generate as a follow up to another which might say something suspicious is going on.

There can be more to this, and as Security Analysts you may have your own workbooks which you run. However I thought this can be helpful, and of course for this section I got some help from Microsoft Copilot to structure me the technique and event IDs which correlates with that 🙂

  • Same account (eg. local Admin accounts) being used to login to many machines in a small time window.
  • Failed logons on endpoints – Event ID 4625
  • Account lockdowns – probably following failed logon activities – Event ID 4740
  • New process creation – Event ID 4688

Credential Access (TA0006)

Technique Event IDs Detection Notes
Credential Dumping (LSASS) 4688 (Process Creation), 4656 (Handle Request), 4663 (Object Access), Sysmon 10 (Process Access), Sysmon 11 (File Create) Look for processes like mimikatz.exe, procdump.exe, rundll32 comsvcs.dll MiniDump, or LSASS handle access.
Dumping SAM/NTDS 4663 (Object Access), 4656 (Handle Request), 5145 (SMB Share Access) Access to C:\Windows\NTDS\ntds.dit or SAM registry hives.
Credential Extraction via LSASS 4688, Sysmon 10 Monitor for suspicious memory access to lsass.exe.
Cached Credential Dumping 4656, 4663 Access to SECURITY hive in registry.

Pass-the-Hash (T1550.002)

Technique Event IDs Detection Notes
NTLM Authentication 4624 (Logon Success), 4625 (Logon Failure), 4648 (Explicit Credentials), 4776 (NTLM Auth Attempt) Look for Logon Type 3 (Network) with NTLM, especially from unusual hosts.
Privilege Escalation via PtH 4672 (Special Privileges) Admin-level logons after NTLM authentication.

Lateral Movement (TA0008)

Technique Event IDs Detection Notes
Remote Service Creation (PsExec) 7045 (Service Installed), 4688 (Process Creation) PsExec creates services remotely; look for psexesvc.exe.
WMI Execution 4688 (Process Creation), Sysmon 1 (Process Create) Look for wmic.exe or powershell.exe with remote execution commands.
Scheduled Task for Remote Execution 4698 (Task Created), 4699 (Task Deleted) Tasks created remotely for persistence or execution.
SMB/Share Access 5140 (Share Access), 5145 (Share Object Checked) Used for lateral movement and tool transfer.
RDP Lateral Movement 4624 (Logon Success, Type 10), 4625 (Failures) Monitor for unusual RDP sessions.

Common Sysmon Event IDs

Event ID Description
1 Process creation
3 Network connection
10 Process accessed another process (e.g., LSASS memory read)
11 File created (e.g., LSASS dump file)
13 Registry value set
22 DNS query

Wrapping Up

I hope you got some idea on the LSASS process and the importance of setting up the guard-rails to close gaps and detect anomalies sooner rather than later, as it’s the brain of the identities in the endpoint and in most cases how lateral movement begins.

Read more: Microsoft Article – Detecting and preventing LSASS credential dumping attacks By Microsoft Threat Intelligence

Discover more from EMS Route

Subscribe to get the latest posts sent to your email.

[ad_2]

Share this content:

I am a passionate blogger with extensive experience in web design. As a seasoned YouTube SEO expert, I have helped numerous creators optimize their content for maximum visibility.

Contact

Leave a Comment

© 2025 Marketer • Built with GeneratePress
Privacy Policy Terms Contact