LSASS

LSASS is short for Local Security Authority Subsystem Service, and it stores credentials in memory on behalf of a user that has an active (or recently active) session.

This allows the user to access network resourceswithout re-typing their credentials for each service. LSASS may store credentials in multiple forms, including reversibly encrypted password, Kerberos tickets, NT hash, LM hash, DPAPIkeys,and Smartcard PIN. Credentials are stored in LSASS for sessions that have been established since the last reboot and have not been closed.

For example, credentials are created in memory when a user does any of the following: (this is not an exhaustive list).

• Logs on to a local session or RDP session on the computer.

• Runs a process using RunAs.

• Runs an active Windows service on the computer.

• Creates a scheduled task or batch job.

• Runs PsExec with explicit creds, such as PsExec \server -u user -p pwd cmd.

• Uses WinRM with CredSSP.

Alternate Data Stream[ADS]

• Check presence of ADS:

• Ref:https://blog.malwarebytes.com/101/2015/07/introduction-to-alternate-data-streams/

dir /R
binwalk -e file

• Extract data from ADS

more < file.txt:root.txt
Get-Item -path hm.txt -stream *