Secure by design architecture for defending against LSASS credential theft across hybrid environments.

Summary

Credential theft via the Windows Local Security Authority Subsystem Service (LSASS) memory, cataloged as MITRE ATT&CK T1003.001, remains a foundational technique in modern cyberattacks. Its successful execution provides adversaries with the keys to the kingdom, enabling lateral movement, privilege escalation, and the deployment of catastrophic ransomware. The attack surface for this technique is no longer confined to on-premises networks; it extends across the entire hybrid enterprise, encompassing cloud-based virtual machines and containerized workloads. The persistence of this threat, coupled with the increasing sophistication of evasion techniques, necessitates a fundamental shift from reactive detection to a proactive, secure-by-design defense.

This report presents a comprehensive, multi-layered security program designed to neutralize the threat of LSASS credential theft. The architecture is rooted in Zero Trust principles and integrates hardware-based isolation, operating system hardening, AI-enhanced behavioral detection, and automated response capabilities. It provides a unified security posture that is consistent across on-premises endpoints, hybrid cloud infrastructure in Azure, AWS, and GCP, and Windows container ecosystems.

The business value of this program is threefold. First, it demonstrably reduces the risk of high-impact security breaches by protecting the organization’s most critical identity assets. Second, it enhances operational efficiency by leveraging automation to handle low-level threats, freeing security operations teams to focus on sophisticated adversaries. Third, it provides a clear framework for achieving and demonstrating compliance with major international regulations, including GDPR and the NIS2 Directive, while strategically preparing the organization’s identity infrastructure for future challenges, such as the advent of post-quantum cryptography.

This document serves as a strategic blueprint for executive sponsorship, a detailed technical guide for architectural implementation, and an operational playbook for security teams.

I. The Evolving Threat Landscape of Credential Access

A comprehensive defense against LSASS credential theft must be predicated on a deep understanding of the adversary’s methods. These techniques have evolved significantly, moving from noisy, easily detectable tools to highly sophisticated, fileless, and kernel-level bypasses designed to circumvent modern endpoint protection. This evolution represents a direct response to advancements in defensive technologies, creating a clear escalation pathway that informs the necessity of a defense-in-depth strategy.

1.1 Foundational Techniques and Tooling

The bedrock of LSASS credential dumping involves a set of well-understood tools and “living-off-the-land” (LOTL) binaries. While often detected by mature security programs, they remain prevalent and form the initial steps in many attack chains.

• Microsoft Sysinternals Procdump: A legitimate diagnostic tool frequently abused by attackers to create a full memory dump of the lsass.exe process. The command procdump -ma lsass.exe lsass.dmp writes the process memory to a file, which can then be moved offline for credential extraction using tools like Mimikatz.¹ While effective, this technique generates distinct command-line artifacts and file creation events that are readily monitored.
• Mimikatz sekurlsa::logonpasswords: The quintessential post-exploitation tool for directly parsing credentials from LSASS memory in real-time.³ Mimikatz targets various Security Support Providers (SSPs) like Kerberos, WDigest, and MSV to extract plaintext passwords, hashes, and tickets.¹ Its widespread use has led to robust signature and behavioral detections, compelling adversaries to adopt more advanced, obfuscated variants.
• Living-off-the-Land (LOTL) Binaries: To evade application whitelisting and reputation-based security controls, adversaries leverage trusted, Microsoft-signed binaries.

• Task Manager (taskmgr.exe): The standard Windows Task Manager provides a built-in function to “Create dump file” for any running process, including LSASS. This is a simple, manual method that relies on interactive access but leaves a clear audit trail if process access is monitored.³
• rundll32.exe and comsvcs.dll: A more stealthy LOTL technique involves using rundll32.exe to call an exported MiniDump function within the legitimate comsvcs.dll library. This method executes the memory dumping logic without a suspicious executable, using the command rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump <LSASS_PID> dump.dmp full.²

1.2 Advanced Evasion and In-Memory Techniques

To counter the rise of endpoint detection and response (EDR) solutions, attackers have shifted towards techniques that minimize or eliminate disk-based artifacts, operating entirely within system memory.

• Fileless and Reflective Loading: Instead of writing malicious executables to disk, adversaries use scripting languages like PowerShell to download and execute credential dumping logic directly in memory. Frameworks such as PowerSploit contain modules like Invoke-Mimikatz, which reflectively load the Mimikatz DLL into the memory of the PowerShell process and execute its functions without ever touching the disk.⁵ This bypasses traditional file-based antivirus scanning.
• Direct System Calls and API Unhooking: EDR solutions typically function by “hooking” Windows API calls in user-mode to inspect their parameters and block malicious behavior. To bypass this, advanced malware avoids these hooked functions (e.g., OpenProcess, ReadProcessMemory) and instead invokes the underlying, unmonitored system calls directly from ntdll.dll. This technique renders the malicious activity invisible to EDRs that lack kernel-level visibility.³
• Security Support Provider (SSP) Injection: A powerful technique for both persistence and credential harvesting involves an attacker with administrative privileges registering a malicious DLL as a new SSP in the Windows Registry (HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages). Upon the next reboot or when the AddSecurityPackage API is called, LSASS loads this malicious DLL directly into its protected process space. From within LSASS, the malicious SSP has direct, unfettered access to all plaintext credentials as they are processed by the system, making it an exceptionally stealthy and effective method of credential theft.¹

1.3 Kernel-Level Bypass and Protection Tampering

The most sophisticated adversaries target the very security mechanisms designed to protect LSASS. These attacks require the highest level of privilege (SYSTEM or kernel) and represent the apex of evasion techniques. The existence of these methods proves that user-mode protections alone are insufficient.

• Bring Your Own Vulnerable Driver (BYOVD): In a BYOVD attack, an adversary with administrative rights loads a legitimate, but vulnerable, third-party driver that is signed by a valid certificate authority. By exploiting a vulnerability in this trusted driver, the attacker can execute arbitrary code in kernel mode. From this highly privileged context, they can either read LSASS process memory directly or, more devastatingly, surgically disable security protections. This can be achieved by locating the EPROCESS kernel structure for the lsass.exe process and zeroing out the flags that designate it as a Protected Process Light (PPL), effectively turning off LSA Protection before using standard user-mode tools to dump credentials with impunity.⁹
• Protected Process Light (PPL) Bypass Tools: A lineage of open-source tools demonstrates specific vulnerabilities in Windows that allow for PPL bypass. Tools like PPLdump have exploited weaknesses in how PPL processes load DLLs from the KnownDLLs cache. Subsequent tools like PPLmedic and PPLFault have used other techniques, such as exploiting time-of-check-time-of-use (TOCTOU) race conditions during page fault handling, to achieve code execution within a protected process and dump LSASS memory.¹¹

1.4 The Next Frontier: AI-Powered and Container-Based Threats

The threat landscape continues to evolve, with emerging attack vectors leveraging artificial intelligence and the architectural complexities of containerization.

• AI-Powered Evasion: Adversaries are beginning to leverage AI and machine learning, often through “dark LLMs,” to generate polymorphic and metamorphic malware. These malicious programs can automatically and continuously alter their code, encryption methods, and behavior to evade signature-based and simple heuristic detection engines.¹² Recent research has demonstrated AI models capable of generating malware that can successfully bypass Microsoft Defender with a notable success rate.¹⁴ This trend signals a future where static analysis becomes increasingly obsolete, and defense must rely on real-time behavioral and anomaly detection.
• Container Escape: In environments utilizing Windows containers, the primary threat vector against the host’s LSASS process is a “container escape.” By default, Windows Server containers run in a process-isolated mode, sharing the host operating system’s kernel. An attacker who compromises an application inside a container can exploit a kernel vulnerability or a critical misconfiguration—such as running the container in a privileged mode or mounting sensitive host directories like C:\ or the Docker socket—to break out of the container’s isolation boundary. Once on the host, they have effectively achieved local privilege and can proceed to attack LSASS using the techniques described previously.¹⁵

The clear progression from simple tools to kernel-level bypasses demonstrates that adversaries systematically adapt to defensive improvements. When signature-based antivirus blocked mimikatz.exe, attackers pivoted to fileless techniques and LOTL binaries. When EDRs began detecting the behavior of these LOTL tools, defenders responded with OS-native controls like LSA Protection to block the malicious access attempts fundamentally. In response, the most sophisticated attackers moved to the kernel via BYOVD to disable the protections themselves. This escalates the conflict to a battle for the highest level of system privilege. This dynamic proves that any single-layer defense is destined to fail. A resilient architecture must impose costs and friction on the attacker at every step of this escalation ladder, combining hardware, kernel, and user-space defenses.

The following matrix synthesizes this threat analysis, mapping specific techniques to their operational requirements and observable artifacts. This provides a foundational reference for designing the preventative controls and detection logic detailed in the subsequent sections.

II. A Unified Controls Architecture for Credential Protection

A resilient defense against the multifaceted LSASS threat requires a unified, defense-in-depth architecture. This architecture must be consistently applied across all environments—on-premises, cloud, and container hosts—to eliminate weak points. The strategy layers controls from the hardware root of trust upwards through the operating system and application layers. The implementation of these controls should follow a phased, risk-based approach, beginning with broad, flexible controls and progressing to more stringent, hardware-dependent protections.

2.1 Foundational Layer: Hardware-Rooted Isolation

The most effective preventative controls are those that leverage hardware virtualization to create a security boundary that even a compromised operating system kernel cannot breach. These technologies form the bedrock of a modern Windows security architecture.

• Virtualization-Based Security (VBS): VBS is the core enabling technology that utilizes the processor’s virtualization extensions and the hypervisor to create an isolated, secure execution environment known as Virtual Secure Mode (VSM). VSM runs parallel to the normal Windows kernel but is protected by the hypervisor, making its memory space inaccessible to code running in the main OS, including kernel-mode drivers.¹⁸
• Credential Guard: This is the primary VBS-enabled feature for protecting credentials. When enabled, Credential Guard fundamentally alters the Windows authentication architecture. It moves sensitive credential materials, such as NTLM password hashes and Kerberos Ticket-Granting Tickets (TGTs), out of the memory of the standard lsass.exe process. Instead, these secrets are stored and managed by a new, isolated process, LSAIso.exe, which runs inside the VSM.¹⁸ Any request for these credentials from the main OS
  lsass.exe must go through a tightly controlled and audited Remote Procedure Call (RPC) interface, effectively blocking direct memory scraping attacks like Pass-the-Hash.¹⁸
• Hardware and Software Prerequisites: The robustness of Credential Guard is derived from its reliance on a hardware-rooted chain of trust. Deployment requires specific capabilities: a 64-bit processor with virtualization extensions (Intel VT-x or AMD-V) and Second Level Address Translation (SLAT); UEFI firmware (version 2.3.1 or later) with Secure Boot enabled; and a Trusted Platform Module (TPM) version 2.0.¹⁹ Secure Boot ensures the integrity of the boot process up to the hypervisor, while the TPM protects the VBS keys, preventing offline attacks.¹⁸
• Operational Challenges and Compatibility: While powerful, deploying Credential Guard at scale requires careful planning. Organizations must manage a heterogeneous hardware fleet, as older devices may not meet the prerequisites. Furthermore, certain legacy applications and authentication protocols are incompatible. NTLMv1, MS-CHAPv2 (often used in RADIUS and VPN configurations), and Digest authentication cannot use single sign-on with Credential Guard enabled, which can lead to application failures or repeated credential prompts.²⁰ For these reasons, and because it provides no additional security benefit on a system that already holds all secrets, Credential Guard is not supported or recommended for deployment on Active Directory Domain Controllers.¹⁸

2.2 OS-Level Hardening and Access Control

For systems that do not meet the hardware requirements for Credential Guard, or as an additional defense layer, several operating system-level controls provide substantial protection against LSASS attacks.

• LSA Protection (RunAsPPL): This feature configures the lsass.exe process to run as a Protected Process Light (PPL). PPL is a security mechanism that prevents non-PPL processes, even those running with administrative privileges, from opening a handle to the LSASS process for memory reading (PROCESS_VM_READ) or code injection (PROCESS_CREATE_THREAD).¹⁰ This single control effectively neutralizes the majority of common user-mode credential dumping tools. LSA Protection is enabled by setting the
  HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL registry value to 1. For enhanced tamper resistance, it can be enabled with a UEFI lock (RunAsPPLBoot registry value), which stores the configuration in a UEFI variable, preventing an attacker with administrative rights from simply disabling it via the registry.²³
• Attack Surface Reduction (ASR) Rule: Microsoft Defender’s ASR rules provide a flexible, policy-driven way to block malicious behaviors. The rule “Block credential stealing from the Windows local security authority subsystem (lsass.exe)” (GUID 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2) is specifically designed to block processes from obtaining a handle to LSASS.²⁵ A key advantage of the ASR rule is its operational flexibility. It can be deployed in
  Audit mode initially, which logs events for processes that would have been blocked without actually preventing the action. This audit data is invaluable for identifying legitimate applications (such as third-party security agents or monitoring tools) that require access to LSASS, allowing administrators to create targeted exclusions before switching the rule to Block mode.²⁵
• Privilege and Credential Hygiene: Foundational security practices are essential to reduce the overall attack surface.

• SeDebugPrivilege Management: The SeDebugPrivilege user right is a prerequisite for many tools to access the memory of other processes, including LSASS. This privilege should be removed from all local and domain accounts and groups where it is not absolutely essential for a specific administrative function.
• Disabling WDigest: The WDigest authentication protocol historically allowed for plaintext passwords to be stored in LSASS memory. While disabled by default in modern Windows versions, organizations must ensure through policy that the registry key HKLM\SYSTEM\CurrentControlSet\Control\Lsa\UseLogonCredential is set to 0 to prevent re-enabling this feature.²⁸
• Local Administrator Password Solution (LAPS): To combat lateral movement using stolen local administrator credentials, LAPS should be deployed to randomize the password for the built-in local administrator account on every domain-joined machine and store it securely in Active Directory.²⁵

The implementation of these controls should not be viewed as an “all or nothing” choice. A strategic, phased deployment maximizes risk reduction while minimizing operational disruption. The ASR rule’s Audit mode provides the initial visibility needed to plan a broader rollout. This data can inform the creation of exclusions required before moving the ASR rule to Block mode and enabling the more stringent LSA Protection. Finally, Credential Guard can be deployed to the subset of the fleet that meets the hardware requirements, providing the highest level of assurance for the most critical assets. This tiered approach ensures that the entire organization benefits from a baseline level of hardening quickly, while the most advanced protections are targeted where they are most effective and feasible.

The following table provides a consolidated baseline of hardening configurations across various management platforms, translating the architectural principles into an actionable implementation guide for engineering teams.

III. AI-Enhanced Detection and Response Engineering

While preventative controls form the core of the defense strategy, a robust detection and response capability is essential to identify and neutralize adversaries who manage to bypass them. A modern Security Operations Center (SOC) must move beyond simple signature-based alerts and embrace behavioral analytics, high-fidelity detection logic, and automated response workflows to counter sophisticated LSASS attacks.

3.1 High-Fidelity Detection Engineering

Effective detection engineering focuses on identifying anomalous behaviors that are strong indicators of compromise, while minimizing the noise from legitimate system activity. This requires rich endpoint telemetry and advanced analytical capabilities.

• Sysmon Configuration for LSASS Monitoring: System Monitor (Sysmon) is a critical tool for generating deep endpoint telemetry. A targeted configuration is essential for detecting advanced LSASS attacks. The following configuration snippet focuses on Sysmon Event ID 10 (ProcessAccess), which logs when one process attempts to access the memory of another. This rule specifically targets access to lsass.exe and includes a curated list of legitimate system processes to exclude, thereby reducing false positives and highlighting genuinely suspicious access attempts.³⁰
  XML
  <Sysmon schemaversion=”4.90″>
    <EventFiltering>
      <RuleGroup name=”” groupRelation=”or”>
        <ProcessAccess onmatch=”exclude”>
          <SourceImage condition=”is”>C:\Windows\System32\wininit.exe</SourceImage>
          <SourceImage condition=”is”>C:\Windows\System32\services.exe</SourceImage>
          <SourceImage condition=”is”>C:\Windows\System32\svchost.exe</SourceImage>
          <SourceImage condition=”is”>C:\Windows\System32\lsm.exe</SourceImage>
          <SourceImage condition=”is”>C:\Windows\System32\csrss.exe</SourceImage>
          <SourceImage condition=”is”>C:\Windows\System32\wbem\WmiPrvSE.exe</SourceImage>
          <SourceImage condition=”is”>C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe</SourceImage>
        </ProcessAccess>
        <ProcessAccess onmatch=”include”>
          <TargetImage condition=”is”>C:\Windows\System32\lsass.exe</TargetImage>
        </ProcessAccess>
      </RuleGroup>
    </EventFiltering>
  </Sysmon>
  
• Advanced KQL Threat Hunting Queries: Microsoft Sentinel, using the Kusto Query Language (KQL), provides a powerful platform for proactive threat hunting. The following queries are designed to uncover subtle indicators of LSASS credential theft that may not trigger standard alerts.³²
• Query 1: Detection of comsvcs.dll MiniDump Activity
  This query specifically hunts for the “Living-off-the-Land” technique of using rundll32.exe to dump LSASS memory via comsvcs.dll. It looks for the characteristic command-line pattern.7
  Codefragment
  DeviceProcessEvents

| where InitiatingProcessFileName =~ “rundll32.exe”

| where ProcessCommandLine has_all (“comsvcs.dll”, “MiniDump”)

| extend TargetProcessId = extract(“MiniDump, ([0-9]+)”, 1, ProcessCommandLine)

| join kind=inner (

DeviceProcessEvents

| where FileName =~ “lsass.exe”

| project TargetProcessId = ProcessId, DeviceName

) on TargetProcessId, DeviceName

| project Timestamp, DeviceName, InitiatingProcessFileName, ProcessCommandLine, AccountName

“`

*   **Query 2: Anomalous LSASS Process Access with ML Scoring**
    This query identifies processes accessing LSASS and enriches the data with a hypothetical Machine Learning model score (`ml_score`). This approach moves beyond simple rules to risk-based alerting, prioritizing events where the accessing process is rare or has suspicious characteristics.[34, 35]

    “`kql
    DeviceProcessEvents

| where ActionType == “ProcessAccessed” and FileName =~ “lsass.exe”

// Exclude known good processes to reduce noise

| where InitiatingProcessFileName!in (“wininit.exe”, “services.exe”, “svchost.exe”, “lsm.exe”)

// The ml_score function is a placeholder for a custom ML model that scores the rarity/risk of the InitiatingProcess, its command line, and parent process.

| extend RiskScore = ml_score(DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName)

| where RiskScore > 0.8

| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, GrantedAccess, RiskScore

| top 100 by RiskScore desc

“`

*   **Query 3: Suspicious LSASS Dump File Creation**
    This query hunts for the creation of `.dmp` files originating from common tools used for LSASS dumping, providing a strong indicator of a successful memory dump.

    “`kql
    DeviceFileEvents

| where ActionType == “FileCreated” and FileName endswith “.dmp”

| where InitiatingProcessFileName in~ (“taskmgr.exe”, “procdump.exe”, “sqlumper.exe”, “rundll32.exe”)

| join kind=inner (

DeviceProcessEvents

| where FileName =~ “lsass.exe”

| project LSASS_ProcessId = ProcessId, DeviceName, Timestamp

) on DeviceName

// Correlate file creation with recent LSASS process activity

| where abs(Timestamp – todouble(Timestamp1)) < 2m

| project-away Timestamp1, LSASS_ProcessId

| summarize count() by DeviceName, InitiatingProcessFileName, FolderPath, SHA1

“`

The combination of preventative controls like LSA Protection and advanced behavioral detection creates a powerful synergy. By enabling LSA Protection, the operating system blocks the vast majority of low-sophistication, noisy attacks before they can even generate telemetry. This dramatically reduces the volume of events the SOC must analyze, effectively filtering the signal from the noise. Consequently, a process access alert for LSASS on a machine where LSA Protection is enabled becomes a high-fidelity, high-severity indicator. It strongly implies that the attacker has successfully employed a more advanced technique, such as a kernel-level bypass, justifying an immediate and escalated incident response.

3.2 SOAR Automation and Incident Response

To respond at machine speed, Security Orchestration, Automation, and Response (SOAR) platforms must be integrated with detection systems. A well-defined playbook for LSASS credential theft ensures a consistent, rapid, and thorough response, minimizing attacker dwell time.

• LSASS Credential Theft Incident Response Playbook: Based on established frameworks like the SANS incident response process, this playbook outlines the critical steps for handling a high-confidence LSASS compromise alert.³⁶
  1. Trigger:

• High-confidence alert from EDR (e.g., “Credential theft from LSASS blocked”).
• High-risk KQL detection from Sentinel (e.g., Anomalous LSASS access with RiskScore > 0.9).

2. Automated Enrichment & Triage (SOAR):

• Step 1: Retrieve alert details (Device, User, Process, Command Line).
• Step 2: Query Entra ID/Active Directory for user’s role and privileges.
• Step 3: Query CMDB to determine device criticality and owner.
• Step 4: Create a high-priority ticket in the incident management system.

3. Containment (SOAR with Human Approval):

• Step 5: Isolate Endpoint: Execute API call to EDR (e.g., Microsoft Defender for Endpoint) to isolate the device from the network, allowing only connections to security tools.
• Approval Gate: For devices tagged as “Critical Server” in the CMDB, require SOC Manager approval before isolation.
• Step 6: Disable User Account: Execute API call to Entra ID/AD to disable the compromised user account, preventing immediate lateral movement.

4. Investigation & Evidence Collection (SOAR):

• Step 7: Live Response: Initiate a live response session with the isolated endpoint.
• Step 8: Collect Forensics: Execute commands to collect a full memory dump (using a trusted tool), a list of running processes, active network connections, and relevant event logs. Store evidence in a secure central repository.

5. Eradication & Recovery (Manual/Assisted):

• Step 9: Analyze Evidence: A SOC analyst performs memory forensics on the collected dump to identify the malicious code and understand the extent of the compromise.
• Step 10: Reset Credentials: Reset passwords for all accounts that had an active session on the compromised machine at the time of the incident.
• Step 11: Rebuild System: The compromised endpoint should be re-imaged from a known-good source to ensure complete eradication of the threat.

6. Post-Incident Activity:

• Step 12: Lessons Learned: Document the attack vector, control failures, and detection gaps.
• Step 13: Tune Defenses: Update detection rules, SOAR playbooks, and preventative controls based on the findings.

This automated playbook ensures that containment actions are taken within minutes of detection, drastically shrinking the window of opportunity for an attacker to exploit the stolen credentials.

IV. Extending Protection to the Hybrid Cloud and Container Ecosystem

Credential protection cannot be confined to the on-premises environment. A unified security posture requires that the principles of isolation and behavioral monitoring are consistently applied to Infrastructure-as-a-Service (IaaS) virtual machines and modern containerized workloads. This involves leveraging cloud-native security services and adapting hardening principles to the unique architectures of these platforms.

4.1 Securing IaaS and PaaS Workloads

Each major cloud provider offers a suite of security tools that can be used to deploy, monitor, and enforce LSASS protection controls on Windows virtual machines.

• Microsoft Azure: The integration between Azure and Microsoft’s security stack provides a seamless experience.

• Deployment: Azure Policy can be used to enforce the hardening baselines at scale, ensuring all new and existing Windows VMs automatically receive the correct GPO-equivalent settings for LSA Protection, ASR, and Credential Guard prerequisites.
• Detection: Microsoft Defender for Cloud provides workload protection capabilities, including file integrity monitoring and behavioral analytics. When integrated with Microsoft Sentinel, telemetry from Defender for Cloud, Windows VMs (via the Azure Monitor Agent), and Azure Activity Logs can be correlated in a single place. The advanced KQL queries detailed in Section III can be run directly in Sentinel to hunt for LSASS threats across the entire Azure estate.⁷
• Amazon Web Services (AWS): A robust defense in AWS involves combining infrastructure-level logging with on-host runtime monitoring.

• Deployment: AWS Systems Manager can be used to deploy and maintain the required configuration state on EC2 instances, applying registry keys for LSA Protection and running PowerShell commands to set ASR rules.
• Detection: AWS GuardDuty is the primary threat detection service. While its foundational data sources (VPC Flow Logs, DNS Logs, CloudTrail) are crucial, the EC2 Runtime Monitoring feature is essential for LSASS protection. By deploying a lightweight GuardDuty agent onto EC2 instances, this feature provides deep visibility into on-host activities like process execution, command-line arguments, and network connections. It can generate specific findings like Execution:Runtime/SuspiciousCommand when it detects behavior consistent with credential dumping tools, providing telemetry that is otherwise unavailable from network logs alone.⁴⁰ These findings should be correlated with AWS CloudTrail logs, which record all API activity, to trace the full scope of an attack.⁴³
• Google Cloud Platform (GCP): GCP’s Security Command Center (SCC) provides a centralized platform for threat detection and posture management.

• Deployment: Google Cloud’s OS Config agent can be used to enforce desired state configurations on Compute Engine VM instances, ensuring that hardening policies for LSASS protection are consistently applied.
• Detection: Security Command Center Premium integrates several services critical for detecting credential theft. Event Threat Detection analyzes Cloud Audit Logs for suspicious API usage, while VM Threat Detection can identify the execution of known malicious applications, including cryptocurrency miners and credential dumpers, running within a VM.⁴⁴ For containerized workloads, SCC can detect processes searching for Google Cloud credentials within a container, indicating a potential attempt to steal service account tokens for lateral movement.⁴⁵

4.2 Hardening Windows Container Environments

By default, Windows Server containers use process isolation, meaning they share the host OS kernel. This architectural choice makes a container escape a direct threat to the host’s LSASS process. Securing this environment relies on the universal principle of isolation, mirroring the same logic that makes Credential Guard effective.

• Applying NIST SP 800-190 Principles: The Application Container Security Guide provides a foundational framework for securing containerized environments.⁴⁷ Key recommendations include:

• Image Security: Use minimal, hardened base images (e.g., Nano Server) to reduce the attack surface. Integrate vulnerability scanning into the CI/CD pipeline to identify and patch known vulnerabilities before deployment.
• Registry Security: Use a trusted, private container registry with strong authentication and authorization controls to prevent image tampering.
• Orchestrator Security (Kubernetes): Harden the Kubernetes control plane by restricting access to the API server, using strong authentication, and enabling audit logging.⁴⁹
• Preventing Container Escape: The primary objective is to enforce strict isolation boundaries to prevent a compromised container from affecting the host.

• Pod Security Standards: Kubernetes Pod Security Standards (or their policy-as-code equivalents like OPA/Gatekeeper) must be used to enforce the Baseline or Restricted profiles. This prevents the deployment of privileged containers, which effectively disable all isolation mechanisms.⁵²
• Least Privilege Identity: Follow the principle of least privilege for service accounts. Disable the automatic mounting of the default service account token in pods and create dedicated, narrowly-scoped service accounts for each application. In cloud environments like AKS, use workload identity mechanisms to grant pods access to cloud resources without storing long-lived credentials.⁵³
• Runtime Protection: Deploy a Container Workload Protection Platform (CWPP) or cloud-native solution (like Defender for Containers or GuardDuty EKS Protection) to monitor container runtime behavior. These tools can detect anomalous process execution, suspicious network connections, and file access patterns within the container that may indicate an attempted breakout.
• Hyper-V Isolation: The Definitive Control: For any multi-tenant workload or application processing sensitive data, Windows process-isolated containers do not provide a sufficiently robust security boundary. In these scenarios, Hyper-V isolated containers are the definitive control. This mode wraps each container in a lightweight, dedicated virtual machine, providing a hardware-enforced kernel boundary between the container and the host OS.¹⁷ A kernel exploit within the container would be contained within its dedicated micro-VM, preventing it from accessing the host kernel and, by extension, the host’s LSASS process. This architectural choice directly parallels the VBS model used by Credential Guard: in both cases, the hypervisor is used to create a strong, hardware-rooted isolation boundary that is resilient to software-level compromise. This should be the default configuration for all security-sensitive Windows container workloads.

V. Governance, Compliance, and Future-Proofing

A technically sound security architecture must be embedded within a broader strategic framework of governance, regulatory compliance, and forward-looking planning. This ensures the program is not only effective today but also sustainable, auditable, and prepared for the technological shifts of tomorrow. Framing the LSASS protection program as a foundational step in a larger Zero Trust journey can serve as a powerful catalyst, translating an abstract strategic goal into a tangible, high-impact project.

5.1 Aligning with Zero Trust and Adaptive Trust Models

The principles of LSASS protection are intrinsically aligned with a Zero Trust architecture, which shifts the security focus from network perimeters to identity and assumes that a breach is inevitable.

• Implementing Zero Trust (NIST SP 800-207): A Zero Trust architecture operates on the principle of “never trust, always verify”.⁵⁴ The LSASS hardening controls are direct implementations of this philosophy:

• Assume Breach: Credential Guard and LSA Protection are designed to protect credentials even after an endpoint has been compromised by malware or an attacker has gained administrative privileges. They contain the breach by preventing the theft of credentials needed for lateral movement.
• Least Privilege Access: The principle is applied by removing unnecessary privileges like SeDebugPrivilege and using Just-in-Time (JIT) access for administrative tasks, minimizing the window of opportunity for an attacker.
• Verify Explicitly: Every access request should be authenticated and authorized. Integrating strong Multi-Factor Authentication (MFA) for all administrative access is a critical complementary control.
• Evolving to Adaptive Trust Models: A static Zero Trust policy is a significant improvement, but the next evolution is an adaptive trust model. This model uses a dynamic, risk-based approach to access control, continuously assessing trust based on real-time signals.⁵⁶ An attempted LSASS dump, even if blocked by an ASR rule or LSA Protection, is a powerful risk signal. This signal can be ingested by an Identity and Access Management (IAM) system or Conditional Access policy engine. In response to this heightened risk score, the system could dynamically enforce stricter controls for that user or device, such as:

• Triggering a step-up authentication challenge requiring a phishing-resistant MFA method.
• Requiring a device health attestation check before allowing access to sensitive applications.
• Reducing the session token lifetime or blocking access to critical data altogether until a security review is completed.

5.2 Regulatory and Compliance Mapping

Implementing a robust LSASS protection program provides tangible evidence of compliance with major international data protection and cybersecurity regulations.

• General Data Protection Regulation (GDPR): The controls directly support compliance with Article 32 (“Security of processing”), which requires data controllers to implement “appropriate technical and organisational measures to ensure a level of security appropriate to the risk.” Protecting credentials is a fundamental technical measure. A credential theft incident that exposes personal data is a reportable data breach under Article 33, mandating notification to the supervisory authority within 72 hours.⁵⁸ The existence of strong preventative controls like Credential Guard can serve as a mitigating factor in regulatory assessments.
• NIS2 Directive: For organizations classified as “essential” or “important” entities, the NIS2 Directive mandates the implementation of baseline cybersecurity risk-management measures. These include policies on risk analysis, incident handling, and supply chain security.⁶⁰ A comprehensive LSASS protection program is a core component of a compliant incident handling and risk management strategy.⁶⁰
• ISO/IEC 27001:2022: The architecture maps directly to several key controls within Annex A, providing a clear path for certification and audit. Relevant controls include A.5.15 (Access Control), A.8.2 (Privileged access rights), A.8.5 (Secure authentication), and A.8.24 (Use of cryptography), which covers the secure management of cryptographic keys used in authentication protocols.⁶³
• ISO/IEC 42001 (AI Management System): For the AI-enhanced detection components of the program, ISO 42001 provides a framework for responsible governance. This ensures that any machine learning models used for anomaly detection are developed, deployed, and maintained in a way that is ethical, transparent, and manages risks such as bias and data privacy, aligning with stakeholder expectations.⁶⁶

5.3 Preparing for the Quantum Threat

The advent of cryptographically relevant quantum computers poses a long-term, existential threat to the cryptographic foundations of modern authentication protocols like Kerberos. Strategic planning for this transition must begin now.

• The Threat to Legacy Authentication: Quantum computers, using Shor’s algorithm, will be capable of breaking the asymmetric cryptography (like RSA and ECC) that underpins many authentication mechanisms, including Kerberos Public Key Cryptography for Initial Authentication (PKINIT). Simultaneously, Grover’s algorithm provides a quadratic speedup for brute-force attacks against symmetric algorithms, effectively halving the bit-strength of ciphers like AES, which is used to encrypt Kerberos tickets.⁶⁹ While NTLM relies on hashing, which is less directly impacted, its other cryptographic weaknesses make it an unsuitable long-term protocol.⁷⁰
• “Harvest Now, Decrypt Later”: The threat is not just in the future. Adversaries are actively engaging in “harvest now, decrypt later” attacks, where they capture and store encrypted network traffic today. They anticipate that in the future, they will be able to use a quantum computer to decrypt this historical data, revealing past credentials, session keys, and sensitive information.⁷¹ This makes the transition to post-quantum cryptography (PQC) an urgent priority.
• Roadmap to Quantum Resilience: Organizations heavily reliant on legacy systems like on-premises Active Directory face a significant challenge, as these systems were not designed for crypto-agility.⁷² A strategic roadmap to prepare for the PQC transition should include:

1. Cryptographic Inventory: Conduct a thorough inventory of all systems and applications that rely on legacy cryptography for authentication and data protection.
2. Prioritize Migration: Focus initial migration efforts on systems that protect the most sensitive, long-lived data, as they are most at risk from “harvest now, decrypt later” attacks.
3. Embrace Crypto-Agility: Plan a long-term transition away from crypto-rigid platforms towards modern, cloud-native identity systems (like Entra ID) where vendors like Microsoft are actively engineering PQC support and can manage the complex algorithm transition on behalf of their customers.⁷³

VI. Maturity Model

Translating this comprehensive architecture into reality requires a structured, phased implementation plan. This roadmap is designed to deliver incremental value, manage operational risk, and mature the organization’s security posture over a 180-day period. It is supported by a clear governance model and measurable success metrics to ensure accountability and track progress.

6.1 Governance and Success Metrics (KPIs)

A clear governance structure and data-driven metrics are essential for program success.

• RACI Matrix:

• Key Performance Indicators (KPIs):
• Attack Surface Reduction:

• Percentage of endpoints with Credential Guard enabled.
• Percentage of endpoints with LSA Protection active.
• Percentage of endpoints with the ASR LSASS rule in Block mode.
• Detection & Response Quality:

• Mean Time to Detect (MTTD) for simulated T1003.001 attacks.
• Mean Time to Respond (MTTR) / Contain for simulated T1003.001 attacks.
• True Positive Rate (TPR) for LSASS-related alerts.
• Operational Efficiency:

• Percentage of LSASS alerts automatically enriched and triaged by SOAR.
• Reduction in manual analyst hours spent on credential theft investigations.
• Business Impact:

• Change Failure Rate (%) for new control rollouts.
• Volume of helpdesk tickets related to application compatibility issues caused by new controls.

6.2 Business Continuity and Change Management

The deployment of powerful security controls must be balanced with the need for operational stability.

• Performance Impact Assessment: Establish a formal process to baseline key performance metrics (e.g., boot time, login latency, CPU utilization) on representative systems before and after deploying controls like VBS and Credential Guard.
• User Communication Plan: Develop clear communication templates for different audiences. Inform IT support staff and helpdesk teams about the new controls and potential compatibility issues. Educate end-users about any changes they might experience, such as prompts from new security features.
• Rollback Procedures: Maintain documented and tested procedures for disabling or modifying controls on specific systems or user groups in the event of a critical business application failure. These procedures should be integrated into the change management process.
• Skills Development: Invest in targeted training for key teams. SOC analysts should receive training on advanced KQL, memory forensics, and container security fundamentals. Architects and engineers should be upskilled on cloud-native security tools and identity management in hybrid environments.

By following this structured implementation plan, an organization can systematically and safely deploy a state-of-the-art defense against LSASS credential theft, transforming its security posture from reactive to resilient and building a strong foundation for a secure digital future.

Geciteerd werk

1. T1003.001 LSASS Memory – Mappings Explorer – GitHub Pages, geopend op september 21, 2025, https://center-for-threat-informed-defense.github.io/mappings-explorer/attack/attack-8.2/domain-enterprise/techniques/T1003.001/
2. ATT&CK Technique T1003.001 – Mappings Explorer – GitHub Pages, geopend op september 21, 2025, https://center-for-threat-informed-defense.github.io/mappings-explorer/attack/attack-10.1/domain-enterprise/techniques/T1003.001/
3. MITRE ATT&CK T1003 Credential Dumping – Picus Security, geopend op september 21, 2025, https://www.picussecurity.com/resource/blog/picus-10-critical-mitre-attck-techniques-t1003-credential-dumping
4. OS Credential Dumping: LSASS Memory, Sub-technique T1003.001 …, geopend op september 21, 2025, https://attack.mitre.org/techniques/T1003/001/
5. Mimikatz | Red Canary Threat Detection Report, geopend op september 21, 2025, https://redcanary.com/threat-detection-report/threats/mimikatz/
6. LSASS Dumping Techniques – HawkEye, geopend op september 21, 2025, https://hawk-eye.io/2022/09/lsass-dumping-techniques/
7. LSASS Memory – Red Canary Threat Detection Report, geopend op september 21, 2025, https://redcanary.com/threat-detection-report/techniques/lsass-memory/
8. Credential Dumping in Action: Simulating Fileless Threats to Test Your Defenses | Guardz.com, geopend op september 21, 2025, https://guardz.com/blog/credential-dumping-in-action-simulating-fileless-threats-to-test-your-defenses/
9. CrowdStrike Falcon Prevents Multiple Vulnerable Driver Attacks in Real-World Intrusion, geopend op september 21, 2025, https://www.crowdstrike.com/en-us/blog/falcon-prevents-vulnerable-driver-attacks-real-world-intrusion/
10. Bypassing LSA Protection without Mimikatz on Windows 10 – Red …, geopend op september 21, 2025, https://redcursor.com.au/bypassing-lsa-protection-aka-protected-process-light-without-mimikatz-on-windows-10/
11. Credential Dumping Protections: Part 2 – Bypass LSA Protection – Cyber Advisors Blog, geopend op september 21, 2025, https://blog.cyberadvisors.com/technical-blog/blog/credential-dumping-protections-part-2-bypass-lsa-protection
12. Effective AI Powered Malware Detection: Protecting Your Digital Assets | Fidelis Security, geopend op september 21, 2025, https://fidelissecurity.com/cybersecurity-101/cyberattacks/ai-powered-malware-detection/
13. 5 Ways cybercriminals are using AI: Malware generation | Barracuda Networks Blog, geopend op september 21, 2025, https://blog.barracuda.com/2024/04/16/5-ways-cybercriminals-are-using-ai–malware-generation
14. AI Malware Bypasses Microsoft Defender: 8% Success Rate 2025 – Technijian, geopend op september 21, 2025, https://technijian.com/chatgpt/ai-in-tech/ai-malware-successfully-bypasses-microsoft-defender-what-this-means-for-cybersecurity-in-2025/
15. Preventing Container Escape Attempts with Falcon Cloud Runtime Security – CrowdStrike, geopend op september 21, 2025, https://www.crowdstrike.com/en-us/blog/preventing-container-escape-attempts-falcon-cloud-runtime-security/
16. Container Escape Techniques: Breaking Out of the Digital Jail | by zerOiQ, geopend op september 21, 2025, https://infosecwriteups.com/container-escape-techniques-breaking-out-of-the-digital-jail-ad06962c5292
17. Secure Windows containers | Microsoft Learn, geopend op september 21, 2025, https://learn.microsoft.com/en-us/virtualization/windowscontainers/manage-containers/container-security
18. What Is Windows Defender Credential Guard? – JumpCloud, geopend op september 21, 2025, https://jumpcloud.com/it-index/what-is-windows-defender-credential-guard
19. Credential Guard overview – Microsoft Learn, geopend op september 21, 2025, https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/
20. How Credential Guard works | Microsoft Learn, geopend op september 21, 2025, https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/how-it-works
21. Microsoft Defender Credential Guard hardware requirements, geopend op september 21, 2025, https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-credential-guard
22. Windows Defender Credential Guard and PEAP MS-CHAPv2 – SecureW2, geopend op september 21, 2025, https://www.securew2.com/blog/windows-defender-credential-guard-and-peap-ms-chapv2
23. Configure added LSA protection | Microsoft Learn, geopend op september 21, 2025, https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection
24. How to Enable or Disable Local Security Authority Protection in Windows 11 – NinjaOne, geopend op september 21, 2025, https://www.ninjaone.com/blog/configure-local-security-authority-protection/
25. Securing LSASS – Controls to Minimise Attack Surface – EMS Route, geopend op september 21, 2025, https://emsroute.com/2025/09/09/securing-lsass-controls-to-minimise-attack-surface/
26. Microsoft Defender for Endpoint attack surface reduction rules demonstrations, geopend op september 21, 2025, https://learn.microsoft.com/en-us/defender-endpoint/defender-endpoint-demonstration-attack-surface-reduction-rules
27. Block credential stealing from the Windows local security authority subsystem (lsass.exe), geopend op september 21, 2025, https://www.gitbit.org/course/ms-500/blog/block-credential-stealing-from-the-windows-local-security-authority-subsystem-lsass-exe-lo8coidr
28. What’s new in Windows Server 2025 Security Baseline (v2506) – Prajwal Desai, geopend op september 21, 2025, https://www.prajwaldesai.com/windows-server-2025-security-baseline/
29. Windows Server 2025, security baseline – Microsoft Community Hub, geopend op september 21, 2025, https://techcommunity.microsoft.com/blog/microsoft-security-baselines/windows-server-2025-security-baseline/4358733
30. Sysmon – IBM, geopend op september 21, 2025, https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.extensions.doc/r_sysmon_ext.html
31. Suspicious Lsass Process Access | Prebuilt detection rules reference – Elastic, geopend op september 21, 2025, https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/windows/credential_access_suspicious_lsass_access_generic
32. Learn the advanced hunting query language in Microsoft Defender …, geopend op september 21, 2025, https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-query-language
33. Operationalize attack surface reduction rules – Microsoft Defender for Endpoint, geopend op september 21, 2025, https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-deployment-operationalize
34. FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics, geopend op september 21, 2025, https://www.sans.org/cyber-security-courses/advanced-incident-response-threat-hunting-training
35. SANS FOR 508 Advanced Incident Response, Threat Hunting, and Digital Forensics, geopend op september 21, 2025, https://markmorow.com/blog/2025/SANS-FOR-508/
36. Digital Forensics and Incident Response Training – SANS Institute, geopend op september 21, 2025, https://www.sans.org/cybersecurity-focus-areas/digital-forensics-incident-response
37. CredentialAccess – Microsoft Sentinel Analytic Rules, geopend op september 21, 2025, https://analyticsrules.exchange/tactics/CredentialAccess/
38. GuardDuty -Runtime Monitoring for EC2: A Hands-on Guide with Troubleshooting – Medium, geopend op september 21, 2025, https://medium.com/@noble-antwi/guardduty-runtime-monitoring-for-ec2-a-hands-on-guide-with-troubleshooting-3d4976cb4158
39. Amazon GuardDuty EC2 Runtime Monitoring is now generally available | AWS News Blog, geopend op september 21, 2025, https://aws.amazon.com/blogs/aws/amazon-guardduty-ec2-runtime-monitoring-is-now-generally-available/
40. Get to know Amazon GuardDuty Runtime Monitoring for Amazon EC2 | AWS Security Blog, geopend op september 21, 2025, https://aws.amazon.com/blogs/security/get-to-know-amazon-guardduty-runtime-monitoring-for-amazon-ec2/
41. Logging Amazon GuardDuty API calls with AWS CloudTrail, geopend op september 21, 2025, https://docs.aws.amazon.com/guardduty/latest/ug/logging-using-cloudtrail.html
42. Security Command Center | Community, geopend op september 21, 2025, https://security.googlecloudcommunity.com/security-command-center-4/index3.html
43. Credential Access: Find Google Cloud Credentials | Security Command Center, geopend op september 21, 2025, https://cloud.google.com/security-command-center/docs/findings/threats/find-gcp-credentials
44. Security Command Center – Marketplace – Google Cloud Console, geopend op september 21, 2025, https://console.cloud.google.com/marketplace/product/google-cloud-platform/cloud-security-command-center-premium
45. Using Minimus to Achieve NIST SP 800-190 Container Security Compliance, geopend op september 21, 2025, https://www.minimus.io/post/using-minimus-to-align-with-nist-sp-800-190
46. Application Container Security Guide – NIST Technical Series …, geopend op september 21, 2025, https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-190.pdf
47. Kubernetes Security Best Practices + Checklist – ARMO, geopend op september 21, 2025, https://www.armosec.io/blog/kubernetes-security-best-practices/
48. Kubernetes Security Best Practices: Definitive Guide | CSA, geopend op september 21, 2025, https://cloudsecurityalliance.org/articles/kubernetes-security-best-practices-definitive-guide
49. Securing a Cluster | Kubernetes, geopend op september 21, 2025, https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster/
50. Best Practices for Container Runtime Security, geopend op september 21, 2025, https://blog.rad.security/blog/container-runtime
51. AKS Security Best Practices: Protect Your Kubernetes Clusters | Wiz, geopend op september 21, 2025, https://www.wiz.io/academy/aks-security-best-practices
52. Zero Trust Architecture (ZTA) Explained – NIST 800-207, geopend op september 21, 2025, https://getnametag.com/newsroom/nist-800-207-zero-trust-architecture-zta-explained
53. What is the NIST SP 800-207 cybersecurity framework? – CyberArk, geopend op september 21, 2025, https://www.cyberark.com/what-is/nist-sp-800-207-cybersecurity-framework/
54. What is Adaptive Access Control? – Citrix, geopend op september 21, 2025, https://www.citrix.com/glossary/what-is-adaptive-access-control.html
55. What is Adaptive Access Control? Benefits and Examples – JumpCloud, geopend op september 21, 2025, https://jumpcloud.com/it-index/what-is-adaptive-access-control
56. Understanding the GDPR breach notification timeline: A step-by-step guide – Thoropass, geopend op september 21, 2025, https://thoropass.com/blog/compliance/gdpr-breach-notification-timeline/
57. Art. 33 GDPR – Notification of a personal data breach to the …, geopend op september 21, 2025, https://gdpr-info.eu/art-33-gdpr/
58. NIS2 Directive: securing network and information systems | Shaping …, geopend op september 21, 2025, https://digital-strategy.ec.europa.eu/en/policies/nis2-directive
59. What Is the NIS2 Directive? Compliance Requirements | Proofpoint US, geopend op september 21, 2025, https://www.proofpoint.com/us/threat-reference/nis2-directive
60. The NIS 2 Directive | Updates, Compliance, Training, geopend op september 21, 2025, https://www.nis-2-directive.com/
61. ISO 27001:2022 Annex A 8.24 – Use of Cryptography – ISMS.online, geopend op september 21, 2025, https://www.isms.online/iso-27001/annex-a-2022/8-24-use-of-cryptography-2022/
62. ISO 27001:2022 Annex A Control 5.15 Explained – ISMS.online, geopend op september 21, 2025, https://www.isms.online/iso-27001/annex-a-2022/5-15-access-control-2022/
63. ISO 27001 Controls Explained: A Guide to Annex A (Updated 2024) | Secureframe, geopend op september 21, 2025, https://secureframe.com/hub/iso-27001/controls
64. ISO/IEC 42001:2023 Artificial Intelligence Management System Standards – Microsoft Learn, geopend op september 21, 2025, https://learn.microsoft.com/en-us/compliance/regulatory/offering-iso-42001
65. What is an artificial intelligence management system (AIMS)? – DNV, geopend op september 21, 2025, https://www.dnv.com/assurance/Management-Systems/iso-42001-ai-management/aims-and-iso-iec-42001/
66. ISO/IEC 42001: a new standard for AI governance – KPMG International, geopend op september 21, 2025, https://kpmg.com/ch/en/insights/artificial-intelligence/iso-iec-42001.html
67. How Post-Quantum Cryptography Affects Security and Encryption …, geopend op september 21, 2025, https://blogs.cisco.com/developer/how-post-quantum-cryptography-affects-security-and-encryption-algorithms
68. NTLM Explained: Definition, Protocols & More | CrowdStrike, geopend op september 21, 2025, https://www.crowdstrike.com/en-us/cybersecurity-101/identity-protection/windows-ntlm/
69. Post-quantum resilience: building secure foundations – Microsoft On the Issues, geopend op september 21, 2025, https://blogs.microsoft.com/on-the-issues/2025/08/20/post-quantum-resilience-building-secure-foundations/
70. Quantum computing exposes Active Directory to urgent new risks – ChannelLife Canada, geopend op september 21, 2025, https://channellife.ca/story/quantum-computing-exposes-active-directory-to-urgent-new-risks
71. Microsoft Accelerates Post-Quantum Cryptography Transition with Global Standards Push, geopend op september 21, 2025, https://redmondmag.com/articles/2025/08/20/cryptography-transition-with-global-standards-push.aspx