S0121: Lslsass
Analyst context for executives and security teams
Lslsass matters because it targets credential material in Windows LSASS memory, which can turn one compromised endpoint or administrator context into broader access risk. For leaders, the key issue is not the specific public tool alone, but whether the organization can prevent, detect, and investigate attempts to harvest active logon password hashes from Windows systems.
Executive priority
Prioritize this as a credential-access readiness issue. It affects incident scope decisions, privileged-access risk, lateral-movement containment, and audit evidence around endpoint monitoring and administrative control. Security leaders should ask whether Windows endpoints generate usable evidence for LSASS access, whether privileged sessions are limited, and whether the SOC can distinguish legitimate administrative activity from credential-dumping behavior.
Technical view
Lslsass is a publicly available Windows tool associated in ATT&CK with dumping active logon session password hashes from the lsass process. The object has no ATT&CK-provided detection text, but it is linked to T1003.001, LSASS Memory, under credential access. SOC and IR teams should validate visibility for suspicious process access to LSASS, credential-dump artifacts, execution of known or renamed tooling, and activity occurring under administrative or SYSTEM-level context. The relationship to APT1 provides historical threat-context relevance, but does not by itself prove current activity in any environment.
Likely telemetry
- Windows process creation and command-line telemetry
- Process access events involving lsass.exe
- Endpoint detection and response alerts related to credential dumping or LSASS memory access
- Windows security logs showing privileged logon or administrative context around the activity
- File creation or execution evidence for public credential-dumping tools or renamed binaries
Detection direction
- Confirm whether endpoint telemetry records process access to LSASS, not just process starts.
- Tune detections around unusual or unauthorized access to lsass.exe, especially from non-standard administrative tools or unexpected paths.
- Correlate LSASS access with privileged logons, SYSTEM execution, suspicious file creation, and follow-on authentication activity.
- Account for false positives from legitimate security, backup, administrative, or troubleshooting tools that may interact with sensitive processes.
- Do not rely only on the tool name Lslsass; validate behavior-based coverage because public tools can be renamed.
Mitigation priorities
- Reduce unnecessary local administrator and SYSTEM-level exposure on Windows endpoints.
- Limit where privileged users log on so fewer high-value credentials are present in LSASS memory.
- Harden endpoint monitoring and response workflows for credential-access behavior tied to LSASS memory.
- Ensure incident response playbooks include rapid credential containment, host isolation decisions, and privileged-account review when LSASS dumping is suspected.
- Validate compliance evidence showing privileged-access governance and endpoint monitoring coverage for Windows credential-access scenarios.
Analyst notes and limits
This ATT&CK object is sparse: it identifies Lslsass as a public tool for dumping active logon session password hashes from LSASS and links it to LSASS Memory credential access. The practical value is to test whether Windows credential-dumping behavior is observable and actionable, not merely whether a named binary is blocked.
Official ATT&CK detection guidance is not provided for this tool. Tactics are not specified on the tool object itself, though the related technique is credential-access on Windows. Local telemetry, endpoint configuration, administrative practices, and business criticality are required to assess actual exposure or coverage.
Lslsass
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1003.001 | LSASS Memory Sub-technique | Lslsass can dump active logon session password hashes from the lsass process.CitationMandiant APT1 |
Groups, software, and campaigns
G0006: APT1
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 14f5acdaaf7d… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Mandiant APT1
Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
Open source URL -
[2]
mitre-attack S0121Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.