Everything you need to know about LSASS (From Red Team Perspective)
If you open Task Manager in your windows, you will see a process running called ‘lsass.exe’. LSASS (Local Security Authority Server Service) is the process in windows that enforces the security of the windows (Wikipedia). LSASS is responsible for providing AD database lookups, authentication, and AD replication. Simply to those who are not into Active Directory and stuff, LSASS is the process that checks whether the user-provided credentials are valid or not.
Why is LSASS important?
As mentioned earlier, one of the functions of LSASS is to check the login and permission of the users. LSASS has access to all the authentication providers like NTLM, Kerberos. So, LSASS contains all the NT hashes, Kerberos tickets, and if WDigest isn’t disabled in windows, you can get clear text credentials as well. If you are familiar with the web, you can think of LSASS as the website’s database (though LSASS is not the database) that has all the credentials of the web. You can perform the SQL injection on the web and dump all the credentials from the database, like that you can dump the credentials from LSASS as well (if you have sufficient permission).
Attacking LSASS:
Dumping the credential from LSASS is as easy as running few commands but before dumping the credentials from LSASS you need SEDebugPrivilege permission. By default SEDebugPrivilege is only provided to Local Administrators. You can check whether the user has such permission or not by typing
whoami /priv
Note: Modern Powershell has some sort of prevention mechanism that will prevent you from dumping credentials from LSASS.
To dump the credential from the LSASS open the task manager, right click on lsass.exe and click on ‘Create Dump File’.
Note: Windows Firewall could detect the dump file so disable the antivirus before dumping the lsass.
Once you have dumped the file it will create a lsass.dmp file you can move that file to your system and run pypykatz to get the credentials from the dump file.
pypykatz lsa minidump lsass.dmp
Different Methods to dump from LSASS:
We might not get RDP access to machine every time (in most cases we just have access to powershell). For this here are different techniques to dump credentials from LSASS.
Using Mimikatz
You can run the Mimikatz powershell script and dump the lsass using the following command.
Invoke-Mimikatz -Command ‘“privilege::debug” “sekurlsa::logonPasswords”’
Or if you have dump the lsass in victim PC and want to view the dump from your windows then you can run the following command.
Invoke-Mimikatz -Command ‘“sekurlsa::minidump lsass.dmp” “sekurlsa::logonPasswords”’
Using ProcDump
You can run the following command to dump the lsass using ProcDump:
.\procdump.exe -ma lsass.exe lsass.dmp
As mentioned earlier Window Defender can delete the dump file. To bypass this you can simply use the process id of lsass.
tasklist /fi “imagename eq lsass.exe”
.\procdump.exe-ma $lsass_pid lsass.dmp
Comsvcs.dll
The native comsvcs.dll DLL found in C:\Windows\system32
can be used with rundll32 to dump LSASS's process memory.
rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump $lsass_pid C:\temp\lsass.dmp full
There are different PowerShell scripts found on Github that will dump the lsass. You can use any of them for ease.
Are few tools that you can use.
Enable WDigest
If WDigest is enable you can get clear text credentials from lsass. You can enable the WDigest in Windows by executing the following command.
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /d 1
Note: Enabling WDigest means you are downgrading the security.
That’s all for LSASS. Hope this article help you understand some idea about LSASS. You can find me on twitter at @0x4vian