{"id":48740,"date":"2022-10-05T16:00:00","date_gmt":"2022-10-05T16:00:00","guid":{"rendered":"https:\/\/www.microsoft.com\/security\/blog\/?p=123118"},"modified":"2022-10-05T16:00:00","modified_gmt":"2022-10-05T16:00:00","slug":"detecting-and-preventing-lsass-credential-dumping-attacks","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/detecting-and-preventing-lsass-credential-dumping-attacks\/","title":{"rendered":"Detecting and preventing LSASS credential dumping attacks"},"content":{"rendered":"

Obtaining user operating system (OS) credentials from a targeted device is among threat actors\u2019 primary goals when launching attacks because these credentials serve as a gateway to various objectives they can achieve in their target organization\u2019s environment, such as lateral movement. One technique attackers use is targeting credentials in the Windows Local Security Authority Subsystem Service (LSASS) process memory because it can store not only a current user\u2019s OS credentials but also a domain admin\u2019s.<\/p>\n

LSASS credential dumping<\/a> was first observed in the tactics, techniques, and procedures (TTPs) of several sophisticated threat activity groups\u2014including actors that Microsoft tracks as HAFNIUM<\/a> and GALLIUM<\/a>\u2014 and has become prevalent even in the cybercrime space, especially with the rise of the ransomware as a service gig economy<\/a>. Detecting and stopping OS credential theft is therefore important because it can spell the difference between compromising or encrypting one device versus an entire network. Security solutions must provide specific measures and capabilities to help harden the LSASS process\u2014for example, Microsoft Defender for Endpoint<\/a> has advanced detections and a dedicated attack surface reduction rule<\/a> (ASR) to block credential stealing from LSASS.<\/p>\n

In May 2022, Microsoft participated in an evaluation conducted by independent testing organization AV-Comparatives<\/a> specifically on detecting and blocking the LSASS credential dumping technique. The test, which evaluated several endpoint protection platforms (EPP) and endpoint detection and response (EDR) vendors, is the first time AV-Comparatives focused on a single attack technique, and we\u2019re happy to report that Defender for Endpoint passed all 15 test cases used to dump user OS credentials from the LSASS process, achieving 100% detection and prevention scores. Notably, we also passed all test cases with only Defender for Endpoint\u2019s default settings configured<\/strong>, that is, with LSASS ASR and Protective Process Light (PPL) turned off to validate our antivirus protection durability in itself. Such results demonstrate our continued commitment to provide organizations with industry-leading defense.<\/p>\n

In this blog, we share examples of various threat actors that we\u2019ve recently observed using the LSASS credential dumping technique. We also provide details on the testing methodology done by AV-Comparatives, which they also shared in their blog<\/a> and detailed report<\/a>. Finally, we offer additional recommendations to further harden systems and prevent attackers from taking advantage of possible misconfigurations should they fail to leverage credential dumping.<\/p>\n

LSASS credential dumping: What we see in the wild<\/h2>\n

Dumping LSASS credentials is important for attackers because if they successfully dump domain passwords, they can, for example, then use legitimate tools such as PsExec<\/em> or Windows Management Instrumentation (WMI) to move laterally across the network. They can also use techniques like pass-the-hash<\/a> for lateral movement if they manage to obtain the password hashes.<\/p>\n

Microsoft researchers are constantly monitoring the threat landscape, including the different ways threat actors attempt to steal user credentials. The table below is a snapshot of the most popular credential theft techniques these actors used from March to August 2022 based on our threat data:<\/p>\n

\n\n\n\n\n\n\n\n
Living-off-the-land binary<\/strong><\/a> (LOLBin) or hacking tool<\/strong><\/td>\nThreat actor that frequently uses this <\/strong>(not exhaustive)<\/td>\n<\/tr>\n
Comsvc.dll<\/em> (and its \u201cMiniDump\u201d export) loaded by rundll32.exe<\/em><\/td>\nDEV-0270<\/a><\/td>\n<\/tr>\n
Mimikatz (and its modified variants)<\/td>\nDEV-0674<\/td>\n<\/tr>\n
Procdump.exe<\/em> (with -ma<\/em> command line option)<\/td>\nDEV-0555<\/td>\n<\/tr>\n
Taskmgr.exe<\/em><\/td>\nDEV-0300<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n

The first column shows the technique attackers most frequently used in their attempt to dump credentials from LSASS, while the second column shows which threat actor uses this technique most frequently. Based on the incidents we tracked from March to August 2022, credential theft attacks using  LOLBins such as comsvc.dll<\/em>, procdump.exe<\/em>, or taskmgr.exe<\/em> are still popular. These LOLBins are legitimate, digitally signed binaries that are either already present on the target device or are downloaded onto the system for the attacker to misuse for malicious activities.<\/p>\n

Microsoft Defender Antivirus prevents the execution of these command lines due to its synchronous command line-blocking capabilities.<\/p>\n

AV-Comparatives test<\/h2>\n

To evaluate EPP and EDR capabilities against the LSASS credential dumping technique, AV-Comparatives ran 15 different test cases to dump credentials from the LSASS process using both publicly available hacking tools like Mimikatz (which the tester modified to bypass antivirus signatures) and privately developed ones. These test cases were as follows:<\/p>\n

\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Test case<\/strong><\/td>\nLSASS attack method<\/strong><\/td>\n<\/tr>\n
01<\/td>\nMimikatz with process herpaderping<\/td>\n<\/tr>\n
02<\/td>\nNative APIs DLL<\/td>\n<\/tr>\n
03<\/td>\nSilent process exit<\/td>\n<\/tr>\n
04<\/td>\nAlternative API snapshot function<\/td>\n<\/tr>\n
05<\/td>\nMalSecLogon<\/td>\n<\/tr>\n
06<\/td>\nDump LSASS<\/td>\n<\/tr>\n
07<\/td>\nDuplicate dump<\/td>\n<\/tr>\n
08<\/td>\nPowerShell Mimikatz<\/td>\n<\/tr>\n
09<\/td>\nInvoke Mimikatz (PoshC2)<\/td>\n<\/tr>\n
10<\/td>\nSafetyDump<\/td>\n<\/tr>\n
11<\/td>\nRunPE snapshot (PoshC2)<\/td>\n<\/tr>\n
12<\/td>\nUnhook (Metasploit framework)<\/td>\n<\/tr>\n
13<\/td>\nReflective DLL (Metasploit framework)<\/td>\n<\/tr>\n
14<\/td>\nInvoke Mimikatz (PowerShell Empire)<\/td>\n<\/tr>\n
15<\/td>\nInvoke-PPL dump (PowerShell Empire)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n

Each test case implemented a comprehensive approach on how to dump credentials from LSASS. After the evaluation, AV-Comparatives shared the logs and detailed description of the test cases. Microsoft participated using Defender for Endpoint, both its antivirus and EDR capabilities, with only the default settings configured<\/strong>.<\/p>\n

During the initial run, Defender for Endpoint prevented 11 out of 15 test cases and alerted\/detected three of the remaining ones (Figure 1). We then made improvements in our protection and detection capabilities and asked AV-Comparatives to re-test the missed test cases. During the re-test, we prevented all the remaining four test cases, achieving 15 out of 15 prevention score.<\/p>\n

\"Table
Figure 1. Table showing how Defender for Endpoint prevented\/detected the test cases in the first run of the AV-Comparatives test. The antivirus module missed test cases 01, 03, 09, and 10. We added improvements to the product based on these findings, thus allowing Defender for Endpoint to achieve 100% prevention score on re-test. (Source: AV-Comparatives<\/a>)<\/figcaption><\/figure>\n

We\u2019d like to thank AV-Comparatives for this thorough test, which led us to improve our protection and detection capabilities in Defender for Endpoint. These improvements have already been rolled out to benefit our customers, and we\u2019re looking forward to the next similar test. We aim to provide industry-leading, cross-domain defense, so it\u2019s important for us to participate in tests like AV-Comparatives and MITRE Engenuity ATT&CK Evaluations<\/a> because they help us ensure that we\u2019re delivering solutions that empower organizations to defend their environments.<\/p>\n

Securing the LSASS process with coordinated threat defense and system hardening<\/h2>\n

The continuous evolution of the threat landscape has seen attacks leveraging OS credential theft, and threat actors will continue to find new ways to dump LSASS credentials in their attempts to evade detection. For Microsoft, our industry-leading defense capabilities in Microsoft Defender for Endpoint<\/a> are able to detect such attempts. We\u2019ve also introduced new security features in Windows 11<\/a> to harden the operating system, such as enabling PPL for the LSASS process and Credential Guard by default. However, evaluations like this AV-Comparatives test go hand in hand with threat monitoring and research because they provide security vendors additional insights and opportunities to continuously improve capabilities.<\/p>\n

Our teams performed an in-house test of all these test cases with the LSASS ASR rule<\/a> enabled to check the protection level of that rule. We\u2019re happy to report that the ASR rule alone successfully prevented all the tested techniques. The LSASS ASR rule is a generic yet effective protection our customers can implement to stop currently known user-mode LSASS credential dumping attacks. Defender customers should therefore enable this ASR rule\u2014along with tamper protection<\/a>\u2014as an added protection layer for the LSASS process.<\/p>\n

On top of the various dumping techniques, we\u2019ve also observed threat actors attempt to weaken the device settings in case they can\u2019t dump credentials. For example, they attempt to enable \u201cUseLogonCredential\u201d in WDigest registry, which enables plaintext passwords in memory. Microsoft Defender Antivirus detects such techniques, too, as Behavior:Win32\/WDigestNegMod.B.<\/p>\n

Windows administrators can also perform the following to further harden the LSASS process on their devices:<\/p>\n

Finally, customers with Azure Active Directory (Azure AD) can follow our recommendations on hardening environments:<\/p>\n

READ MORE HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

LSASS credential dumping is becoming prevalent, especially with the rise of human-operated ransomware. In May 2022, Microsoft participated in an evaluation conducted by AV-Comparatives specifically on detecting and blocking this attack technique and we\u2019re happy to report that Microsoft Defender for Endpoint achieved 100% detection and prevention scores.
\nThe post Detecting and preventing LSASS credential dumping attacks appeared first on Microsoft Security Blog. READ MORE HERE…<\/p>\n","protected":false},"author":2,"featured_media":48741,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[276],"tags":[10230,5449,347,7221],"class_list":["post-48740","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-microsoft-secure","tag-credential-dumping","tag-credential-theft","tag-cybersecurity","tag-microsoft-security-intelligence"],"yoast_head":"\nDetecting and preventing LSASS credential dumping attacks 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/detecting-and-preventing-lsass-credential-dumping-attacks\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Detecting and preventing LSASS credential dumping attacks 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/detecting-and-preventing-lsass-credential-dumping-attacks\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2022-10-05T16:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/10\/fig1-av-comparatives-test.png\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/detecting-and-preventing-lsass-credential-dumping-attacks\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/detecting-and-preventing-lsass-credential-dumping-attacks\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Detecting and preventing LSASS credential dumping attacks\",\"datePublished\":\"2022-10-05T16:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/detecting-and-preventing-lsass-credential-dumping-attacks\/\"},\"wordCount\":1274,\"publisher\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/detecting-and-preventing-lsass-credential-dumping-attacks\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/10\/detecting-and-preventing-lsass-credential-dumping-attacks.png\",\"keywords\":[\"credential dumping\",\"Credential Theft\",\"Cybersecurity\",\"Microsoft security intelligence\"],\"articleSection\":[\"Microsoft Secure\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/detecting-and-preventing-lsass-credential-dumping-attacks\/\",\"url\":\"https:\/\/www.threatshub.org\/blog\/detecting-and-preventing-lsass-credential-dumping-attacks\/\",\"name\":\"Detecting and preventing LSASS credential dumping attacks 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/detecting-and-preventing-lsass-credential-dumping-attacks\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/detecting-and-preventing-lsass-credential-dumping-attacks\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/10\/detecting-and-preventing-lsass-credential-dumping-attacks.png\",\"datePublished\":\"2022-10-05T16:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/detecting-and-preventing-lsass-credential-dumping-attacks\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.threatshub.org\/blog\/detecting-and-preventing-lsass-credential-dumping-attacks\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/detecting-and-preventing-lsass-credential-dumping-attacks\/#primaryimage\",\"url\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/10\/detecting-and-preventing-lsass-credential-dumping-attacks.png\",\"contentUrl\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/10\/detecting-and-preventing-lsass-credential-dumping-attacks.png\",\"width\":961,\"height\":723},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/detecting-and-preventing-lsass-credential-dumping-attacks\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.threatshub.org\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"credential dumping\",\"item\":\"https:\/\/www.threatshub.org\/blog\/tag\/credential-dumping\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Detecting and preventing LSASS credential dumping attacks\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#website\",\"url\":\"https:\/\/www.threatshub.org\/blog\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\/\/www.threatshub.org\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/x.com\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Detecting and preventing LSASS credential dumping attacks 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/detecting-and-preventing-lsass-credential-dumping-attacks\/","og_locale":"en_US","og_type":"article","og_title":"Detecting and preventing LSASS credential dumping attacks 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/detecting-and-preventing-lsass-credential-dumping-attacks\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2022-10-05T16:00:00+00:00","og_image":[{"url":"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/10\/fig1-av-comparatives-test.png","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/detecting-and-preventing-lsass-credential-dumping-attacks\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/detecting-and-preventing-lsass-credential-dumping-attacks\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Detecting and preventing LSASS credential dumping attacks","datePublished":"2022-10-05T16:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/detecting-and-preventing-lsass-credential-dumping-attacks\/"},"wordCount":1274,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/detecting-and-preventing-lsass-credential-dumping-attacks\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/10\/detecting-and-preventing-lsass-credential-dumping-attacks.png","keywords":["credential dumping","Credential Theft","Cybersecurity","Microsoft security intelligence"],"articleSection":["Microsoft Secure"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/detecting-and-preventing-lsass-credential-dumping-attacks\/","url":"https:\/\/www.threatshub.org\/blog\/detecting-and-preventing-lsass-credential-dumping-attacks\/","name":"Detecting and preventing LSASS credential dumping attacks 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/detecting-and-preventing-lsass-credential-dumping-attacks\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/detecting-and-preventing-lsass-credential-dumping-attacks\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/10\/detecting-and-preventing-lsass-credential-dumping-attacks.png","datePublished":"2022-10-05T16:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/detecting-and-preventing-lsass-credential-dumping-attacks\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/detecting-and-preventing-lsass-credential-dumping-attacks\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/detecting-and-preventing-lsass-credential-dumping-attacks\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/10\/detecting-and-preventing-lsass-credential-dumping-attacks.png","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/10\/detecting-and-preventing-lsass-credential-dumping-attacks.png","width":961,"height":723},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/detecting-and-preventing-lsass-credential-dumping-attacks\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"credential dumping","item":"https:\/\/www.threatshub.org\/blog\/tag\/credential-dumping\/"},{"@type":"ListItem","position":3,"name":"Detecting and preventing LSASS credential dumping attacks"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/48740","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=48740"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/48740\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/48741"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=48740"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=48740"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=48740"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}