2025-06-28 –, Grand Salon
LSA has been at the heart of user credential recovery efforts on Windows. The root of much of these efforts is in the design of LSA’s authentication packages. Public knowledge on these packages has largely been derived from reverse engineering work, aided by public symbols and often older source code leaks. That knowledge is incredibly valuable but has not always held true with newer Windows releases.
Newer private symbol leaks for Windows 10 have made it possible to perform a fresh investigation of these packages with close to accurate type information. The presentation is the result of such an investigation, performed with a focus on user credential recovery techniques. Insights gained for both memory scanning and logical abuse techniques will be shown. The goal is to leave audience members with a better understanding of the feasibility and limitations of these techniques on newer releases of Windows.
The design of how LSA manages user logon sessions will be presented, based on a recent study of LSA and its internal data structures. Along the way, the user credentials that can be recovered from these structures will be highlighted. Clear advice for recovering these credentials and specific information on how credential guard affects their recovery will be shown. Last, logical abuses will be described for recovering logon session credentials when all LSA protections are in full effect.
Senior software engineer at SpecterOps