Credential stealing is a type of cyberattack where hackers target the process that handles Windows security. You can liken it to a thief swiping your house keys and quickly copying them. With these keys, they have access to your house whenever they want. So what do you do when you discover your keys are stolen? You change the locks. Here’s how to do the equivalent of that on Windows to combat credential stealing.
What Is Windows LSASS?
Windows Local Security Authority Server Service (LSASS) is a process that manages your computer’s security policy. LSASS validates logins, password changes, access tokens, and administrative privileges for multiple users on a system or server.
Think of LSASS as the bouncer who checks IDs at the main gate and cordons off VIP rooms. Without a bouncer at the door, anyone can enter the club with a fake ID, and nothing is stopping them from entering restricted areas.
What Is Credential Stealing?
LSASS runs as a process, lsass.exe. Upon booting, lsass.exe stores authentication credentials like encrypted passwords, NT hashes, LM hashes, and Kerberos tickets in memory. Storing these credentials in memory lets users access and share files during active Windows sessions without re-entering the credentials every time they need to perform a task.
Credential stealing is when attackers use tools like Mimikatz to delete, move, edit, or replace the real lsass.exe file. Other popular credentials stealing tools include Crackmapexec and Lsassy.
How Hackers Steal LSASS Credentials
Usually, in credential stealing, attackers remotely access the victim’s computer—hackers gain remote access in several ways. Meanwhile, extracting or making changes to LSASS requires admin privileges. So, the attacker’s first order of business will be to elevate their privileges. With this access, they can install malware to dump the LSASS process, download the dump, and extract the credentials locally from it.
However, Microsoft Defender has become more efficient at identifying and removing malware, meaning hackers tend to resort to Living off the Land attacks. Here, the attacker hijacks vulnerable native Windows apps and uses them to plunder the credentials in LSASS.
For example, using Task Manager, an attacker can open Task Manager, scroll down to “Windows Processes”, and find “Local Security Authority Process.” Right-clicking this gives the attacker the option to create a dump file or open the file location. The attacker’s decision from here on depends on their objectives. They can download the dump file to extract credentials or replace the real lsass.exe with a fake one.
Credential Stealing: How to Check and What to Do
When it comes to checking if you have been a victim of a credential stealing attack, here are five ways you can find out.
1. Lsass.exe Uses a Lot of Hardware Resources
Load up Task Manager and check the process CPU and Memory usage. Normally, this process should use 0 percent of your CPU and about 5 MB of memory. If you see heavy CPU usage and more than 10 MB memory usage, and you have not performed a security-related action like changing your sign-in details recently, then there’s something wrong.
In this case, use Task Manager to end the process. Then, go to the file location and Shift + Delete the file. The real process would throw an error, but a fake one wouldn’t, so you’d know for sure. Also, to be certain, you should check out File History to make sure Windows did not preserve a backup.
2. Lsass.exe Is Misspelt
As in typosquatting, hackers often rename processes they’ve hijacked to look like the real ones. In this case, an attacker may cleverly name the fake process with an uppercase “i” to mimic the appearance of lowercase “L”. A case converter can help you spot the impostor file easily. The fake process name may also have an extra “a” or “s.” If you see such misspelled processes, Shift + Delete the file and follow up with File History to remove backups.
3. Lsass.exe Is in Another Folder
You’ll need to go through Task Manager here. Open Task Manager > Windows Processes, and search for “Local Security Authority Process.” Then, right-click the process to see your options and choose Open File Location. The real lsass.exe file will be in the “C:WindowsSystem32” folder. A file in any other location is most likely malware; remove it.
4. More Than One Lsass Process or File
When you use Task Manager to check, you should only see one “Local Security Authority Process.” It is normal for this process to have activities running when you click the drop-down button. However, if you see more than one Local Security Authority Process running, odds are you’ve been a victim of credential stealing. The same applies to seeing more than one lsass.exe file when you go to the file location. In this case, attempt to delete the files. The real lsass.exe will throw up an error if you try to delete it.
5. The Lsass.exe File Is Too Large
Lsass.exe files are small—the one on our machine running on Windows 11 is 83 KB. The Windows 10 computer we checked has one 60 KB large. So lsass.exe files are tiny. Of course, attackers know a large Lsass.exe file is a dead giveaway, so they generally make their payloads small. A small file size consistent with our values, then, doesn’t tell you much. However, if you factor in the aforementioned tell-tale signs, you can easily spot the malware in disguise.
How to Prevent Credential Stealing Through Windows LSASS
Security on Windows computers continues to improve, but credential stealing is still a potent threat, especially for old devices running outdated operating systems or new ones behind in software updates. Here are three ways to prevent credential stealing for non-advanced Windows users.
Download and Install the Latest Security Updates
Security updates patch vulnerabilities that attackers can exploit to take over your computer. Keeping devices on your network up-to-date reduces the risk of getting hacked. So, set your computer to automatically download and install Windows updates as soon as they become available. You should also get security updates for third-party programs on your PC.
Use Windows Defender Credential Guard
Windows Defender Credential Guard is a security feature that creates an isolated LSASS process (LSAIso). All credentials are securely stored in this isolated process, which, in turn, communicates with the main LSASS process to validate users. This protects the integrity of your credentials and prevents hackers from stealing valuable data in the event of an attack.
Credential Guard is available on the Enterprise and Pro flavors of Windows 10 and Windows 11, as well as select versions of Windows Servers. These devices must also meet strict requirements like Secure Boot and 64-bit virtualization. You must enable this feature manually, as it is not enabled by default.
Disable Remote Desktop Access
Remote Desktop lets you and other authorized persons use a computer without being in the same physical location. It’s great for when you want to get files from a work device on your home machine or when technical support wants to help you troubleshoot a problem you can’t exactly describe. Despite the convenience, remote desktop access also leaves you vulnerable to attacks.
To disable remote access, press the Windows Key then type “remote settings”. Select “Allow remote access to your computer and uncheck “Allow Remote Assistance connection to this computer” in the dialogue box.
You also want to check and remove remote access software like TeamViewer, AeroAdmin, and AnyDesk. Not only do these programs increase your exposure to common malware and vulnerability attacks, but also Living off the Land attacks—where hackers exploit pre-installed programs to carry out an attack.
Attackers Want the Keys to the House, but You Can Stop Them
LSASS holds the keys to your computer. Compromising this process allows attackers to access your device’s secrets at any time. The worst part is that they can access it as though they were a legitimate user. Although you can find and remove these intruders, it is best to prevent them in the first place. Keeping your device updated and adjusting security settings helps you achieve this goal.