# SAM VS LSA VS LSASS ### 1. SAM (Security Account Manager) #### πŸ“ What it is The **local account database** on a Windows machine. ### πŸ” What it contains * Local usernames (e.g., `Administrator`, `Bob`) * **NTLM password hashes** of local accounts ### πŸ’° Why it’s useful (attacker POV) * **Pass-the-Hash (PtH)** attacks * Lateral movement if: * Same local admin password reused across machines ### ⚠️ Limitations * Only **local accounts** * No plaintext passwords * No domain-wide impact (unless reuse) *** ### 2. LSA (Local Security Authority secrets) #### πŸ“ What it is A storage area managed by Windows for **sensitive system secrets**, accessed via the Local Security Authority. ### πŸ” What it contains * Cached domain credentials (DCC2 hashes) * Service account passwords * Scheduled task credentials * Auto-logon credentials (sometimes plaintext πŸ‘€) * Machine account password ### πŸ’° Why it’s useful * **Credential reuse** β†’ pivot to other machines * Sometimes **plaintext passwords** * Domain creds even if DC not compromised ### πŸ”₯ High-value finds * Service account creds β†’ often privileged * Cached domain creds β†’ lateral movement *** ### 3. LSASS (Local Security Authority Subsystem Service) #### πŸ“ What it is A **running process (`lsass.exe`)** that handles authentication in memory. ### πŸ” What it contains (in memory) * Plaintext passwords (sometimes) * NTLM hashes * Kerberos tickets (TGTs, TGS) * Logged-in user credentials ### πŸ’° Why it’s the most useful * Real-time credentials of logged-in users * If admin logged in β†’ **instant privilege escalation** * Kerberos tickets β†’ Pass-the-Ticket attacks *** ### SAM vs LSA vs LSASS Table | Feature | SAM | LSA | LSASS | | --------------------- | -------------------- | --------------- | ---------------------------- | | Type | File (registry hive) | Secrets storage | Memory (process) | | Requires admin | βœ… | βœ… | βœ… | | Contains hashes | βœ… | βœ… | βœ… | | Contains plaintext | ❌ | ⚠️ Sometimes | βœ… Often | | Contains domain creds | ❌ | βœ… | βœ… | | Best for | PtH | Stored creds | Live creds / full compromise | --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://gokulkarthik.gitbook.io/pentesting-checklist/others/miscellaneous/sam-vs-lsa-vs-lsass.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.