![]() I can see the line of thinking and where the security team is coming from with their policies, in that they have perceived a threat to security if an illegitimate actor uses this software maliciously, but it's a little misguided IMO. They already own the machine at that point, and it doesn't really matter what software is on the machine because there are numerous ways to dump lsass.exe, extract LSA secrets and perform many other sinister actions. Regardless of what you are using to do the dumping, you need to be a local administrator to dump processes not owned by your own user.įurthermore, lsass.exe and LSA secrets are only considered safe if the attackers aren't already members of the local Administrators group, and I think it goes without saying that if the attackers are already local administrators, then you've got bigger problems. ![]() ![]() I can dump the memory from lsass.exe using task manager as well, for instance.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |