Inside LSASS - Ticket Extraction
The main focus of this blog post will be explaining how Kerberos tickets are cached in LSASS, how they can be extracted and how they can be used to impersonate other users. Ticket extraction will be demonstrated both automatically using Mimikatz and manually by inspecting a memory dump of lsass.exe. A fix to Mimikatz source code will be applied to make it correctly parse tickets. 1. Introducing LSASS The Local Security Authority Subsystem Service (LSASS.exe) is a Windows process responsible for handling local security policies, user authentication, and stores credentials in memory. Because of this, it becomes a valuable target for attackers that want to move laterally inside a network. ...
