GCIH · Question #765
Which Windows process would an attacker target to steal credentials from a user who logs into applications with a Password Manager?
The correct answer is D. LSASS. LSASS is the Windows process responsible for handling authentication and storing credentials in memory, making it the primary target for credential theft attacks.
Question
Which Windows process would an attacker target to steal credentials from a user who logs into applications with a Password Manager?
Options
- AClipboard
- BREGSVC
- CExplorer
- DLSASS
How the community answered
(62 responses)- A8% (5)
- B18% (11)
- C3% (2)
- D71% (44)
Why each option
LSASS is the Windows process responsible for handling authentication and storing credentials in memory, making it the primary target for credential theft attacks.
The clipboard holds copied data transiently and many password managers clear it within seconds, making it an unreliable and lower-value target compared to LSASS.
REGSVC is the Windows Registry service and does not store live authentication credentials or session tokens in memory.
Explorer.exe is the Windows shell process and does not handle credential storage or authentication processing.
LSASS (Local Security Authority Subsystem Service) stores authentication tokens, NTLM hashes, and Kerberos tickets in memory. Attackers use tools like Mimikatz to dump credentials directly from LSASS memory, capturing any credentials the password manager has used to authenticate to Windows or domain resources. Because all Windows authentication flows through LSASS, it remains the highest-value credential target regardless of how credentials are initially entered.
Concept tested: LSASS credential dumping and Windows authentication
Source: https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection
Topics
Community Discussion
No community discussion yet for this question.