Local Security Authority Subsystem Service
LSASS is the Windows process that enforces security policy and handles logons, which means it holds credential material such as NTLM hashes and Kerberos tickets in memory. Dumping LSASS memory with tools like Mimikatz is one of the most common credential theft techniques in real intrusions. Defenses include running LSASS as a protected process, enabling Credential Guard, and alerting on any process that opens a handle to LSASS.