Skip to content
/ lsass-memory-scraping Public

The case illustrates the power of structured host-based triage — beginning with logs and EDR, and moving through file inspection, RAM capture, and finally, network artifact confirmation.

License

GPL-3.0 license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Compcode1/lsass-memory-scraping

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
lsass_memory_scraping.ipynb
lsass_memory_scraping.ipynb
 
 

Repository files navigation

Host-Based Credential Dumping Case Study: LSASS Memory Scraping

This case study demonstrates a structured investigation of a suspicious host-based credential access attempt involving LSASS (Local Security Authority Subsystem Service) memory scraping. The notebook walks through a complete triage of a simulated EDR alert triggered by abnormal process behavior, culminating in detection of credential harvesting tactics used by attackers in modern enterprise environments.

Case Summary

  • Alert Trigger: Anomalous process chain — explorer.execmd.exepowershell.exe with a base64-encoded command.
  • Target System: Remote employee workstation (Windows 10).
  • Triage Framework: Host-based local triage using a 5-step forensic methodology.
  • Key Discovery: Suspicious PowerShell script decoded to PowerDump.ps1, a known credential harvesting tool targeting lsass.exe.

Technical Focus Areas

  • Detection and analysis of parent-child process anomalies.
  • Understanding memory scraping techniques used to extract credentials from lsass.exe.
  • Mapping attacker actions across a six-layer Windows operating system triage model.
  • Registry persistence, dropped binaries, and command-line obfuscation.
  • Use of EDR telemetry and Windows Event Logs for endpoint analysis.

Notebook Contents

Section Description
Incident Description Overview of the alert and host context
System Anatomy Detailed breakdown of host OS layers involved
Process Triage Behavioral analysis of process chains
Memory Scraping & Credential Access Review of in-memory data access and scraping tactics
Registry & Persistence Mechanisms Analysis of autostart keys and dropped executables
Root Cause Analysis Final findings on misconfigurations and impact
Lessons Learned Defensive takeaways and mitigation guidance

Skills Demonstrated

  • Endpoint Detection & Response (EDR) analysis
  • Windows host forensics
  • Memory forensics and credential access detection
  • Threat triage modeling and adversary behavior mapping
  • Markdown-based case documentation and structured investigation writing

Author

Steven Tuschman
CompTIA Security+ | CySA+ (in progress)
GitHub: Compcode1

License

This project is for educational and professional demonstration purposes. No real user or system data is included.

About

The case illustrates the power of structured host-based triage — beginning with logs and EDR, and moving through file inspection, RAM capture, and finally, network artifact confirmation.

Topics

cybersecurity digital-forensics memory-forensics mimikatz lsass credential-dumping windows-forensics host-triage powershell-analysis edr-analysis cybersecurity-case-study

Resources

Readme

License

GPL-3.0 license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages