When logging into Windows, it will be via a program named WinLogon.exe. It calls the LsaLogonUser() function in Secure32.DLL, using the Local Security Authority Subsystem Service (LSASS) of Windows for user credential authentication. ‘Security Support Provider (SSP)’ of Windows can be provided by many DLLs, mainly NTLM, SAM, Kerberos, etc. At system startup, SSP is loaded into the LSASS process, allowing SSP to access encrypted passwords, plaintext passwords, or hashes stored in the system. LSASS’s authentication process uses these SSPs to obtain user credentials in various ways and stores credentials in memory such as encrypted passwords, Kerberos Tickets, NTLM hashes, etc. These credential information becomes the primary attack target for hackers before moving laterally between endpoints. In the MITRE ATT&CK MATRIX, this attack technique is called ‘OS Credential Dumping: LSASS Memory, T1003.001’, and the well-known Mimikatz is the main tool for this attack. Practically, using the LSASS Dump command is quite simple, but the speaker will share the technical principles of LSASS, the program logic analysis of LSASS Dump, and the forensics of this attack process from the perspective of cybersecurity forensics.