Some ways to dump LSASS.exe

Mark Mo
Mark Mo
Jul 2 · 5 min read

As always this is for educational purposes. I like to find multiple ways to do the same thing. It helps me learn and writing about it help me learn too. This is a list of several ways to dump LSASS.exe (Local Security Authority Subsystem Service).

Before I begin, when I’m running Windows 10 or Windows Server 2016 (or higher) and Credential Guard is configured and running, dumping LSASS won’t be super useful for NTLM Hashes. This is what it looks like if Credential Guard is running and I try to get NTLM hash. No good for dumping ☹

However, If I’m running older windows OS’s or Credential Guard is not configured and running, I may be able to pull the NTLM hashes (or even passwords). Someone recently tweeted this script to check if Credential Guard is configured and running (Thank you twitter peeps!)

$DevGuard = Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windows\DeviceGuardif ($DevGuard.SecurityServicesConfigured -contains 1) {"Credential Guard configured"}if ($DevGuard.SecurityServicesRunning -contains 1) {"Credential Guard running"}

I can see Credential Guard isn’t configured or running on my lab machine.

Let’s start Dumping LSASS.EXE.

The first way is to use task manager (running as admin). Click on lsass.exe and select “Create Dump File”

A popup will let me know where it gets dumped with the path to the dmp file.

Sysinternals is great for dumping too. (https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite) or http://live.sysinternals.com if I just want specific files.

First run a command as admin and run “psexec -i -s cmd”. This will launch a command prompt with system rights. *** I found that if I run without SYSTEM Rights the file doesn’t get created (because of Defender) but If I run as with SYSTEM rights, windows defender lets it write to disk ***

Next run “procdump -ma lsass.exe lsass.dmp”

Here is what defender says

The dmp file is still produced though.

Next is Sharp dump — compile the source and run it from an admin command prompt — I cover how to compile it in a previous post here: https://medium.com/@markmotig/research-and-organization-on-the-go-and-refinement-when-time-permits-3d25763d3586

Here is the directory with the compiled exe

Here is the output file. As it suggests, rename the file to .GZ and you can unzip it and use it on your attacking machine to extract the NTLM hashes for cracking.

Next is Mini-Dump from @mattifestation (https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Out-Minidump.ps1).

Import the module -->  “Import-Module .\OutMiniDump.ps1”Then run the command --> “Get-Process lsass | Out-Minidump”

Another way someone shared recently is Dumpert. Dumpert may be able to bypass AV (https://github.com/outflanknl/Dumpert) Here is a quote from the GitHub Repo

“This tool demonstrates the use of direct System Calls and API unhooking and combine these techniques in a proof of concept code which can be used to create a LSASS memory dump using Cobalt Strike, while not touching disk and evading AV/EDR monitored user-mode API calls.”

After compiling it, the repository suggests two ways to run it. First the EXE

The second way is to run it using the dll. I copied all of the files from the DLL output build into a folder and run this command in the folder that contains all of the DLL output files.

rundll32 Outflank-Dumpert-DLL.dll,Dump

Also, I saw this technique recently as well from @kondencuotas but I wasn’t able to get it to work. I’m sure I’m doing something wrong. It may be worth a look as well.

Now a quick write up of how to get the hashes out with mimikatz. I copy a few dump files to my mimikatz directory (I have AV turned off while I run mimikatz) Here are the commands I’m running and I can see the hashes in the image.

Mimikatz “sekurlsa::minidump DUMPFILENAME”“sekurlsa::LogonPasswords”

I’ll copy the NTLM hash and put it in a file for cracking on my Kali box

Here is a sample of some hashes I’m going to crack

Next I run Hashcat with the NTLM selected for cracking.

When it finishes it will provide some feedback. I put the passwords in my rockyou.txt password dictionary file so this works and here is the output of the cracked.txt with the passwords to the right of the hashes.

I hope you learned at least one new way of dumping LSASS. Feel free to follow me on Twitter _@markmo_ (yes with the underscores). Cheers!

Mark Mo

Written by

Mark Mo

@_markmo_ on twitter