LSASS.DMP... Attacker or Admin?
When analysing a system for evidence of attacker activity, the presence of a file named LSASS.DMP should pique your interest as an investigator, as it can be an indication of credential theft and possible privilege escalation. However, if there is no other evidence of compromise on the system, or the creation timestamp of LSASS.DMP is outside of your intrusion timeline, you may be left questioning whether the dump relates to this breach, a historical breach, a red team or no breach at all. In this blog I will share an analysis technique which recently helped me ascertain with high confidence that an LSASS.DMP file was generated by an administrator and was not related to the intrusion we were investigating. What is LSASS.DMP? The Local Security Authority Subsystem Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing the security policy on the system, such as verifying users during users logons and password changes. LSASS.DMP is a dum...