Threat Intel: Attack Vector: Credential dumping protections using LSA Protection


In a Windows setup, when users log onto their systems (be it directly or via remote access), they use their usernames and passwords. Behind the scenes, this authentication duty is managed by the Local Security Authority Subsystem Service (LSASS) process, identified as "lsass.exe." This process holds critical authentication information in its memory, including user credentials and password hashes.

Aware of this, hackers often target the LSASS process to extract users' sensitive Windows credentials from past login sessions. Once they've obtained these credentials, attackers can navigate through the network with more ease, a technique known as credential dumping. This step is crucial in an attacker's strategy to gain unauthorized access to accounts, passwords, and hashes.

Enabling LSA Protection prevents this kind of attacks


To fix this Open the Registry Editor (RegEdit.exe), and navigate to the registry key that is located at “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa”

Right click and create a new value of the registry key as a DWORD (32bit) Value

Set the value name as “RunAsPPL” and set the value data as “1 (Hexadecimal)”

More information: