Use cases for "NtReadVirtualMemory" on being called on LSASS.exe RRS feed

  • Question

  • Hi,

    I am interested on understanding the legitimate use cases of calling "NtReadVirtualMemory" on the lsass process? A weel known use case are hacking tools such as mimikatz which will use this behavior as an attempt to read credentials out of the process space of lsass but I have also detected signed legitimate installers like adobe flash, google chrome, java and others making the same API call on the lsass process.

    Thanks for any insight.

    Friday, December 7, 2018 5:23 PM