nerdexam
GIAC

GCIH · Question #765

Which Windows process would an attacker target to steal credentials from a user who logs into applications with a Password Manager?

The correct answer is D. LSASS. LSASS is the Windows process responsible for handling authentication and storing credentials in memory, making it the primary target for credential theft attacks.

Vulnerability Exploitation & Privilege Escalation

Question

Which Windows process would an attacker target to steal credentials from a user who logs into applications with a Password Manager?

Options

  • AClipboard
  • BREGSVC
  • CExplorer
  • DLSASS

How the community answered

(62 responses)
  • A
    8% (5)
  • B
    18% (11)
  • C
    3% (2)
  • D
    71% (44)

Why each option

LSASS is the Windows process responsible for handling authentication and storing credentials in memory, making it the primary target for credential theft attacks.

AClipboard

The clipboard holds copied data transiently and many password managers clear it within seconds, making it an unreliable and lower-value target compared to LSASS.

BREGSVC

REGSVC is the Windows Registry service and does not store live authentication credentials or session tokens in memory.

CExplorer

Explorer.exe is the Windows shell process and does not handle credential storage or authentication processing.

DLSASSCorrect

LSASS (Local Security Authority Subsystem Service) stores authentication tokens, NTLM hashes, and Kerberos tickets in memory. Attackers use tools like Mimikatz to dump credentials directly from LSASS memory, capturing any credentials the password manager has used to authenticate to Windows or domain resources. Because all Windows authentication flows through LSASS, it remains the highest-value credential target regardless of how credentials are initially entered.

Concept tested: LSASS credential dumping and Windows authentication

Source: https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection

Topics

#LSASS#credential theft#password manager#Windows process

Community Discussion

No community discussion yet for this question.

Full GCIH Practice