Attacking LSASS

• Upon initial logon, LSASS will:

  • Cache credentials locally in memory

  • Create access tokens

  • Enforce security policies

  • Write to Windows security log

Dumping LSASS Process Memory

Task Manager Method

• A file called lsass.DMP is created and saved in:

• to copy files use

  • Create SMB server Linux (HACK)

Rundll32.exe & Comsvcs.dll Method

• modern anti-virus tools recognize this method as malicious activity.

• Before issuing the command to create the dump file, we must determine what process ID (PID) is assigned to lsass.exe.

• This can be done from cmd or PowerShell:

Finding LSASS PID in cmd

Finding LSASS PID in PowerShell

Creating lsass.dmp using PowerShell

• to copy files use

  • Create SMB server Linux (HACK)

Using Pypykatz to Extract Credentials

• Pypykatz