AN0648: Analytic 0648
Processes accessing LSASS memory or SAM registry hives outside of trusted security tools, often followed by file creation or lateral movement. Detects unauthorized access to sensitive OS subsystems for credential extraction.
Analyst context for executives and security teams
This analytic matters because access to LSASS memory or SAM registry hives is a high-value warning sign for possible credential extraction on Windows systems. For leaders, the decision value is not only whether a detection exists, but whether the organization can prove it sees unusual access to sensitive credential stores and can distinguish trusted security tooling from unauthorized processes quickly enough to support incident response.
Executive priority
Prioritize this as an identity and incident-readiness control point for Windows environments. Credential material from LSASS or SAM can enable broader compromise and lateral movement, so executives should ask whether endpoint telemetry, alert triage, and response authority are sufficient to contain suspected credential access. This also supports audit and compliance evidence around monitoring of privileged systems, protection of credentials, and investigation readiness.
Technical view
Validate monitoring for processes that access LSASS memory or SAM registry hives outside of trusted security tools. Because the official object provides no tactic mapping and no detailed detection logic, SOC teams should focus on confirming that Windows endpoint telemetry can record sensitive process access, registry hive access, subsequent file creation, and any related lateral movement indicators. Detection engineering should maintain an allowlist or baseline for approved security and administration tools while treating unexpected access by user-launched, script-driven, or uncommon processes as higher priority.
Likely telemetry
- Windows endpoint process creation and process access events
- Signals showing access to LSASS memory
- Registry access or hive access involving SAM
- File creation events following sensitive subsystem access
- Endpoint security tool alerts for credential-access-like behavior
Detection direction
- Confirm that telemetry includes process identity, parent process, user context, command line where available, target process or registry object, host, and timestamp.
- Tune around known trusted security tools, but review whether overly broad exclusions could hide unauthorized LSASS or SAM access.
- Correlate sensitive access with follow-on file creation or lateral movement activity, as noted in the official description.
- Prioritize alerts on servers, administrator workstations, domain administration systems, and other hosts where credential exposure would increase business impact.
- Account for false positives from legitimate endpoint security, backup, forensics, and administrative tools, but require documented justification for exclusions.
Mitigation priorities
- Reduce unnecessary local administrative access on Windows systems and review where privileged credentials are exposed.
- Harden and monitor endpoints that commonly hold privileged sessions or sensitive credentials.
- Limit and document tools authorized to access LSASS memory or SAM registry hives.
- Ensure incident response playbooks include credential-access triage, host isolation decision points, and credential reset or token invalidation procedures where appropriate.
- Use this analytic as evidence input for control validation, not as proof of complete credential theft prevention.
Analyst notes and limits
This object is a detection analytic, not a technique description. Its strongest use is as a validation prompt: can the organization observe and investigate unauthorized access to Windows credential-related subsystems, and can analysts separate approved security activity from suspicious access? The absence of relationship context means no specific ATT&CK techniques, campaigns, or software should be inferred from this object alone.
Official detection logic is not provided, tactics are not specified, and no relationships are supplied. The take is therefore limited to the official description, Windows platform scope, external reference, and object metadata. Local endpoint logging configuration, EDR capabilities, approved tool inventory, and environment baselines are required to determine actual coverage.
Analytic 0648
Processes accessing LSASS memory or SAM registry hives outside of trusted security tools, often followed by file creation or lateral movement. Detects unauthorized access to sensitive OS subsystems for credential extraction.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 3b372b7f92b9… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0648Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.