The Finer Details of LSA Credential Recovery
LSA has been at the heart of user credential recovery efforts on Windows. The root of much of these efforts is in the design of LSA’s authentication packages. Public knowledge on these packages has largely been derived from reverse engineering work, aided by public symbols and often older source code leaks. That knowledge is incredibly valuable but has not always held true with newer Windows releases.
Newer private symbol leaks for Windows 10 have made it possible to perform a fresh investigation of these packages with close to accurate type information. The presentation is the result of such an investigation, performed with a focus on user credential recovery techniques. Insights gained for both memory scanning and logical abuse techniques will be shown. The goal is to leave audience members with a better understanding of the feasibility and limitations of these techniques on newer releases of Windows.
