What Is sekurlsa and How Does It Steal Credentials?

Updated on September 29, 2025

In the context of cybersecurity and penetration testing, sekurlsa is a module within the post-exploitation tool Mimikatz. Its name, a combination of “security” and “lsass,” points directly to its function. It interacts with the Local Security Authority Subsystem Service (LSASS) process to extract credentials from memory. This process, which manages security policies and authenticates users in Windows, holds sensitive information like plaintext passwords, NTLM hashes, and Kerberos tickets. Understanding how sekurlsa works is crucial for defenders to implement proper mitigations.

Definition and Core Concepts

sekurlsa is a Mimikatz module that targets the LSASS process memory. Its primary purpose is to dump credentials that are stored in a clear or recoverable state. These credentials are required by the Windows operating system to facilitate single sign-on (SSO) and other authentication mechanisms without requiring users to re-enter their passwords constantly.

Foundational Concepts

• LSASS.exe: The Local Security Authority Subsystem Service is the core Windows process responsible for enforcing the security policy on a system. When a user logs in, their credentials are validated and then stored in the LSASS process memory for the duration of the session.
• In-Memory Credentials: LSASS stores various forms of credentials in Random Access Memory (RAM), including plaintext passwords, NTLM hashes, and Kerberos tickets.
• Mimikatz: A well-known open-source tool used by both red teams and malicious actors to gather credentials from Windows systems.

How It Works

The sekurlsa module exploits the legitimate function of the LSASS process to extract credentials. It typically involves a few key steps.

Privilege Escalation

An attacker must first gain administrative or SYSTEM level privileges on the target machine. This is because accessing and reading the memory of a protected process like LSASS requires high-level permissions.

Process Injection/Memory Dump

Once privileged, the attacker runs Mimikatz with the sekurlsa module. The tool then either directly reads LSASS memory or reads a process dump.

• Directly Reads LSASS Memory: It attaches to the LSASS process and uses a series of functions and memory offsets to locate and extract the credential data.
• Reads a Process Dump: In some cases, the attacker may first create a memory dump of the LSASS process and then use Mimikatz to analyze the offline dump file.

Credential Extraction

sekurlsa identifies the specific data structures within the LSASS memory that hold the credentials. It then decodes and displays the plaintext passwords, hashes, and tickets.

Lateral Movement

The extracted credentials, particularly Kerberos tickets or password hashes, can then be used in attacks like “pass-the-hash” or “pass-the-ticket.” This allows an attacker to move to other systems on the network without ever needing the original plaintext password.

Key Features and Components

• Access to Multiple Credential Types: The module is not limited to a single type of credential. It can extract passwords, hashes, and tickets, making it a versatile tool for attackers.
• Versatility: The module can be run on a live system or used to analyze a memory dump, providing flexibility for different attack scenarios.
• Continuous Evolution: As Microsoft releases patches to mitigate certain attacks, the developers of Mimikatz and sekurlsa constantly update the tool to find new ways to bypass protections.

Troubleshooting and Considerations

• Credential Guard: Microsoft’s Credential Guard is a key mitigation for sekurlsa. It isolates the LSASS process using virtualization-based security, preventing unauthorized access to its memory.
• LSA Protection: The LSA Protection registry key, when enabled, prevents non-Windows signed processes from loading into LSASS, a common technique used by Mimikatz to read memory.
• JIT (Just-in-Time) Privileges: Implementing privileged access management (PAM) solutions that provide just-in-time access for administrators can limit the window of opportunity for an attacker to gain the necessary privileges to run sekurlsa.
• Disabling WDigest: Disabling the WDigest protocol on legacy systems prevents the storage of plaintext passwords in LSASS memory.

Key Terms Appendix

• Mimikatz: An open-source tool for penetrating Windows security.
• LSASS (Local Security Authority Subsystem Service): A Windows process that manages security policies and authenticates users.
• NTLM Hash: A cryptographic hash used in the NTLM authentication protocol.
• Kerberos: A network authentication protocol that uses tickets to prove a user’s identity.
• Lateral Movement: A technique used by attackers to move from one system to another within a network.
• Credential Guard: A Windows security feature that isolates LSASS to prevent credential theft.