One of the first things FishMonger did once they gained access to a victim machine was to target LSASS (the Local Security Authority Subsystem Service) for credential dumping. This is often a primary target of adversaries because of the amount of valuable sensitive credentials it contains.
It can hold the keys to kingdom allowing for lateral movement, privilege escalation, and operation success. Finding and stopping OS credential dumping can stop one compromise from turning into an entire networking being owned.
FishMonger used legitimate Windows binaries to accomplish this goal quietly — living off the land. You can go deep on tools and recommendations to, eg, reduce attack surface and prevent unauthorized processes from interacting with LSASS which makes it harder to dump at:
Comments
- RedCanary’s technique report: https://redcanary.com/threat-detection-report/techniques/lsass-memory/
- Microsoft Threat Intelligence https://www.microsoft.com/en-us/security/blog/2022/10/05/detecting-and-preventing-lsass-credential-dumping-attacks/