lsass.exeEXElsass.exe Explained: Credential Theft Target or Legitimate Windows Process? [2026]
lsass.exe (Local Security Authority Subsystem Service) is the core Windows authentication process that stores user credentials in memory. It's the #1 target for credential dumping attacks because it contains NTLM hashes, Kerberos tickets, and sometimes plaintext passwords. Only ONE instance should exist at C:\Windows\System32\lsass.exe. Enable LSA Protection (PPL) and Credential Guard for maximum protection.
Risk Summary
lsass.exe is the single most valuable target for credential theft attacks. Once compromised, attackers can dump NTLM password hashes, Kerberos tickets, and cached credentials to enable lateral movement across your entire network. 87% of ransomware intrusions involve LSASS credential dumping within the first 4-6 hours.
Overview
What is lsass.exe?
lsass.exe (Local Security Authority Subsystem Service) is the core Windows authentication and credential management process. It is responsible for enforcing security policies, validating user logins, managing access tokens, and critically—storing credential materials in memory during user sessions.
From a security perspective, lsass.exe is the single most valuable target for credential theft attacks because it contains:
- NTLM password hashes for any user with an active session
- Kerberos tickets (TGTs and TGSs) for domain authentication
- Plaintext passwords (in certain conditions or older systems)
- Cached credentials for recently logged-in accounts
- Service account passwords (sometimes in hashed form)
Core Functions
Authentication & Verification:
- Validates local user credentials against the Security Accounts Manager (SAM) database
- Validates domain credentials against Active Directory via NTLM or Kerberos
- Verifies user identity during logon, service authentication, and network resource access
Token Creation:
- Generates and issues access tokens that determine what resources users can access
- Maintains token lifetime and permissions throughout the user session
Policy Enforcement:
- Enforces security policies on the system
- Manages user rights and permissions
- Controls access to protected resources
Normal Behavior
Normal Behavior
Expected Process State
| Property | Expected Value |
|---|---|
| Path | C:\Windows\System32\lsass.exe |
| Parent | wininit.exe (or no parent) |
| Instances | ONE (exactly one) |
| User | NT AUTHORITY\SYSTEM |
| Children | None (typically) |
| Memory | 40-150 MB (varies by system/logins) |
| Startup | Seconds after boot (Session 0) |
Why Only One Instance
Unlike svchost.exe which runs multiple instances, lsass.exe should only have ONE instance running. Multiple lsass.exe processes is a critical indicator of compromise.
Normal Functions
- Validating user credentials during login
- Managing Kerberos ticket caching
- Enforcing security policies
- Generating and issuing access tokens
- Storing credential materials in protected memory
Common Locations
C:\Windows\System32\lsass.exeSuspicious Indicators
Legitimate vs Suspicious: Recognition Guide
LEGITIMATE: Normal lsass.exe
Path: C:\Windows\System32\lsass.exe (ONLY location)
Signature: Signed by Microsoft Corporation
Parent: wininit.exe (or no parent process)
Instances: ONE and ONLY ONE
User: NT AUTHORITY\SYSTEM
Behavior: No child processes
Memory: 40-150 MB (varies by system/logins)
Startup: Seconds after boot (Session 0)
Protection: Protected Process Light (PPL) on Windows 10+
SUSPICIOUS: Malware Indicators
Path: C:\Users\...\AppData\...
C:\ProgramData\lsass.exe
C:\Windows\Temp\lsass.exe
Any path NOT System32
Signature: Unsigned, invalid, or different publisher
Parent: explorer.exe, cmd.exe, powershell.exe, notepad.exe
Instances: Multiple lsass.exe processes
User: Running as standard user or different account
Behavior: Spawning child processes
Misspelling: lsass.exe, lssass.exe, lsaass.exe (typosquatting)
Comparison Table
| Indicator | Legitimate | Suspicious | Risk Level |
|---|---|---|---|
| File Path | C:\Windows\System32\lsass.exe | Anywhere else | Critical |
| Digital Signature | Microsoft Corporation, Valid | Unsigned/Invalid/Different | Critical |
| Parent Process | wininit.exe or none | explorer.exe, cmd.exe, other | Critical |
| Process Count | 1 (exactly one) | Multiple instances | Critical |
| User Context | NT AUTHORITY\SYSTEM | Standard user | High |
| Child Processes | None (normal) | Any child process | High |
Abuse Techniques
Credential Dumping Attack Techniques
Technique #1: Direct LSASS Memory Dump via Mimikatz (T1003.001)
Attack Flow:
Attacker obtains admin privileges → Runs Mimikatz → Executes sekurlsa::logonPasswords → Mimikatz reads LSASS memory directly → Extracts NTLM hashes, Kerberos tickets, plaintext passwords
How It Works: Mimikatz uses Windows API calls (OpenProcess, ReadProcessMemory) to:
- Open a handle to lsass.exe with full access (GrantedAccess: 0x1F0FFF)
- Read process memory regions where credentials are stored
- Parse memory structures to extract credential material
- Display plaintext passwords or hashes directly to attacker
Detection Signals:
- Sysmon Event ID 10: Process access to lsass.exe with suspicious GrantedAccess flags
- EDR alerts on Mimikatz signature or behavior
- Suspicious DLL loading: dbgcore.dll, dbghelp.dll, ntdll.dll
Technique #2: Memory Dump File + Offline Extraction
Attack Flow: Attacker creates memory dump of LSASS → Moves dump file to safe location → Extracts credentials offline using Mimikatz or Pypykatz → Avoids real-time EDR detection
Legitimate Tools Abused:
| Tool | Legitimate Purpose | How Abused |
|---|---|---|
| ProcDump | System diagnostics | Dump LSASS memory |
| Task Manager | Process management | Create dump file |
| Comsvcs.dll | Component services | MiniDump function for LSASS |
Example Commands:
procdump -ma lsass.exe lsass.dmp
rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump <PID> lsass.dmp full
Technique #3: LSA Secrets Extraction via Registry
Attack Flow: Attacker gains admin on domain controller → Dumps SAM, SYSTEM, SECURITY registry hives → Extracts LSA secrets and cached credentials → Obtains service account passwords
Registry Hives Targeted:
| Hive | Contains | Attack Value |
|---|---|---|
| SAM | Local user account hashes | Compromise local systems |
| SYSTEM | Boot key needed to decrypt SAM | Required for hash extraction |
| SECURITY | LSA Secrets (service passwords) | Service account compromise |
| NTDS.dit (DC only) | All AD user hashes | Complete domain takeover |
Detection Guidance
Detection Strategies
Detection Priority #1: Sysmon Event ID 10 (Process Access to LSASS)
Monitor for:
Event: ProcessAccess (Sysmon Event ID 10)
Target: lsass.exe
Suspicious GrantedAccess flags:
- 0x1010 (Query limited information)
- 0x1400 (Read limited data)
- 0x1F0FFF (Full access - CRITICAL)
Detection Rule:
Process Name = "lsass.exe" AND
GrantedAccess IN [0x1F0FFF, 0x0010, 0x1010, 0x1400] AND
SourceProcess NOT IN ["services.exe", "svchost.exe", "winlogon.exe"]
→ ALERT: Potential LSASS credential dumping attempt
Detection Priority #2: Mimikatz Behavior Signatures
High-Risk Indicators:
- API Hooking patterns (ntdll.dll manipulation)
- Memory dump file creation (*.dmp, *.dump, *.tmp)
- Comsvcs.dll execution via rundll32.exe
- PowerShell with -Dumpcreds parameter
- ProcDump running against lsass.exe
Detection Priority #3: Memory Dump Operations
Monitor For:
- File creation: lsass*.dmp, lsass*.tmp
- ProcDump, Comsvcs.dll MiniDump operations
- File exfiltration immediately after dump creation
Enterprise EDR Detection Rules
Rule #1: LSASS Memory Access
Filter: TargetImage = "lsass.exe" AND GrantedAccess = 0x1F0FFF
Action: ALERT | Severity: CRITICAL
Rule #2: Credential Dumping Tool Execution
Filter: ImageName IN ["mimikatz.exe", "procdump.exe", "pypykatz.exe"]
Action: ALERT | Severity: CRITICAL
Rule #3: Memory Dump File Creation
Filter: FileCreated AND FileName LIKE "*lsass*.dmp"
Action: ALERT | Severity: CRITICAL
Remediation Steps
LSASS Protection: Enabling LSA Protection & Credential Guard
Defense Layer #1: LSA Protection (PPL)
What It Does: Prevents even administrators from injecting code into LSASS or reading its memory.
Enable LSA Protection (Registry):
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" `
-Name "RunAsPPL" -Value 1 -Type DWord
Restart-Computer
Verify LSA Protection is Active:
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "RunAsPPL"
# Should return: RunAsPPL = 1
Defense Layer #2: Credential Guard (Virtualization-Based Security)
What It Does: Isolates credentials in a separate protected process (LSAIso.exe) using hardware virtualization.
Requirements:
- Windows 10 (v1507+) or Windows 11
- Secure Boot enabled
- TPM 2.0 (optional, recommended)
- Virtualization extensions enabled
Enable Credential Guard (Registry):
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" `
-Name "LsaCfgFlags" -Value 1 -Type DWord
Restart-Computer
If LSASS Compromise Suspected
Immediate Response:
- Isolate affected system from network
- Preserve memory dump and process logs
- Alert incident response team
- Reset all passwords for users with active sessions
- Check all other systems for lateral movement
- Force domain-wide credential rotation if domain accounts compromised
Investigation Checklist
Investigation Checklist
- Verify lsass.exe is located at C:\Windows\System32\lsass.exe
- Confirm valid Microsoft Corporation digital signature
- Check parent process is wininit.exe (or no parent)
- Verify ONLY ONE lsass.exe process exists
- Review Sysmon Event ID 10 for suspicious access patterns
- Check for GrantedAccess flags: 0x1F0FFF, 0x1010, 0x1400
- Search for memory dump files: lsass*.dmp, lsass*.tmp
- Verify LSA Protection is enabled (RunAsPPL = 1)
- Check Credential Guard status
- Search for credential dumping tools: mimikatz, procdump, pypykatz
- Review registry hive export operations
- Check authentication anomalies post-incident
- Document findings for incident report