Local Security Authority Subsystem Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing the security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens. It also writes to the Windows Security Log.
It creates security tokens for SAM (Security Account Manager), AD (Active Directory), and NETLOGON. It uses
authentication packages specified in
Lsass.exe is another process adversaries target. Common tools such as mimikatz are used to dump credentials, or adversaries mimic this process to hide in plain sight. Again, they do this by either naming their malware by this process name or simply misspelling the malware slightly.
Number of Instances: One
Start Time: Within seconds of boot time
A parent process other than
Image file path other than
Subtle misspellings to hide rogue processes in plain sight
Multiple running instances
Not running as