none
Use cases for "NtReadVirtualMemory" on being called on LSASS.exe

    Question

  • Hi,

    I am interested on understanding the legitimate use cases of calling "NtReadVirtualMemory" on the lsass process? A weel known use case are hacking tools such as mimikatz which will use this behavior as an attempt to read credentials out of the process space of lsass but I have also detected signed legitimate installers like adobe flash, google chrome, java and others making the same API call on the lsass process.

    Thanks for any insight.


    Friday, December 7, 2018 5:23 PM