LinkedinTryHackme

LSASS, NTDS.dit & WDigest

1. What These Components Are

LSASS (Local Security Authority Subsystem Service)

  • lsass.exe is a core Windows process that manages local security, authentication, and policy enforcement.

  • It holds sensitive credential material in memory: NTLM / LM hashes, Kerberos tickets, and (in some scenarios) clear-text passwords.

  • Because of this, it's a common target for credential dumping by attackers.

NTDS.dit

  • NTDS.dit is the Active Directory database file on a Domain Controller. It stores user and computer account data, group membership, and most critically, password hashes.

  • Its compromise gives attackers access to all domain credentials (e.g., NTLM, Kerberos) in one place.

  • Dumping this file is covered by MITRE ATT&CK as OS Credential Dumping – NTDS.

WDigest

  • WDigest is a legacy authentication protocol used in older Windows versions (HTTP / SASL) via wdigest.dll.

  • If enabled (via registry), WDigest causes LSASS to keep plain-text credentials in memory.

  • Attackers often enable this (UseLogonCredential = 1) to dump cleartext passwords.

2. Forensic / Attack Scenarios

Here’s how attackers abuse these components and how you can investigate them:

Component
Common Attack Technique
Forensic Value / What to Investigate

LSASS

- Memory dump (e.g. using Mimikatz, ProcDump, or other tools) to extract credentials.

- Acquire LSASS memory (either live or via minidump) and analyze with tools like Mimikatz.sekurlsa::logonpasswords can show hashes, clear-text credentials, tickets. - Watch for abnormal process creation or lsass.exe access. - Use EDR / Sysmon to detect suspicious access to LSASS.

NTDS.dit

- Dumping the AD database to extract all user credentials. - Using Volume Shadow Copy or ntdsutil.exe to copy NTDS.dit even though it's “locked.”

- On Domain Controllers, monitor for shadow copy (VSS) creation + access to NTDS.dit. MITRE’s DET0586 describes detection. - After obtaining a copy, extract the SYSTEM hive to decrypt hashes, parse NTDS, and inspect account data. - Correlate with other AD events/logs to understand misuse.

WDigest

- Enabling WDigest in registry (UseLogonCredential = 1) so LSASS stores plaintext credentials. - Then dumping LSASS to get clear-text passwords.

- Check registry key: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential. If set to 1, that's a big red flag. - Monitor for tools / processes that dump LSASS memory after such change. - Consider whether RunAsPPL (“protected process”) is enabled for LSASS to make dumping harder.

3. Mitigations & Hardening

  • Disable WDigest Clear-Text Credentials Set UseLogonCredential = 0 at: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest.

  • Enable LSASS Protection (PPL) Configure LSASS to run as a “Protected Process Light” so only signed/protected processes can access it.

  • Secure Domain Controller Backups

    • Limit who can access VSS/shadow copies. <br>- Monitor for shadow copy creation and suspicious file access to NTDS.dit.

  • Audit & Logging

    • Enable PowerShell and command-line auditing to catch ntdsutil.exe, secretsdump.py, or similar tools.

    • Log LSASS access, driver loading, and memory dump attempts (if your EDR supports it).

4. Investigation Workflow

  1. Triage and Detection

    • Search for registry modifications to WDigest (UseLogonCredential).

    • Detect Volume Shadow Copy creation around times when NTDS.dit might have been accessed.

    • Identify suspicious process creation (e.g. ntdsutil.exe, mimikatz, secretsdump.py).

  2. Collection

    • If possible, take a memory dump of lsass.exe.

    • From a Domain Controller: acquire NTDS.dit (via shadow copy or offline image) and the SYSTEM hive for decryption.

  3. Parsing and Analysis

    • Use Mimikatz (or similar) to analyze LSASS memory for credentials.

    • Use tools (e.g. ntdsutil, AD forensic tools) to parse NTDS.dit, extract NTLM/Kerberos hashes, account metadata.

    • Decrypt using the boot key from the SYSTEM hive.

  4. Correlation & Reporting

    • Correlate credential dumps with suspicious activity (lateral movement, account misuse).

    • Document findings: which accounts were compromised, what types of credentials (plaintext, hash), when the compromise likely happened.

    • Recommend mitigations: disable WDigest, enforce LSASS protection, limit DC access, improve logging.

PreviousServices and ScheduledNextSMB, RDP, WMI, PsExec & UAL

Last updated