OS Credential Dumping: LSASS Memory
View on attack.mitre.org →8 syscalls implement this technique
- NtReadVirtualMemory
Reads bytes from the virtual address space of a target process into a caller-supplied buffer.
- NtOpenProcess
Opens a handle to an existing process with a requested access mask.
- NtSuspendThread
Increments the suspend count of a target thread, halting its execution.
- NtCreateToken
Forges an access token from scratch with caller-specified user, groups, privileges, owner, default DACL and source — gated by SeCreateTokenPrivilege.
- NtQuerySystemInformation
Retrieves a class of system-wide information — process list, kernel handle table, loaded driver list, code-integrity status, and more.
- NtReadFile
Reads bytes from a file, device, named pipe or mapped section into a user buffer — the kernel primitive behind ReadFile.
- NtDuplicateObject
Duplicates a handle from a source process into a target process, optionally adjusting access or closing the source.
- NtQueryObject
Returns metadata about a kernel object handle: basic info, name, type, or the system-wide type table.