LSASS secrets
How to find sensitive data in the LSASS.
Last updated
How to find sensitive data in the LSASS.
Last updated
In Windows, the Local Security Authority Subsystem Service (LSASS) is used to enforce security on the system. The LSASS service is used in various tasks, such as overseeing password changes and login, which means that credentials and hashes are stored within the memory for the LSASS process. With administrative rights, the credentials and hashes can be extracted.
Locally Dumping LSASS
ProcDump is a Windows tool from the sysinternals package and can be used to dump the process memory for LSASS. Due to being a Windows tool, this may be a more legitmate method of dumping LSASS than infiltrating other unsigned attack tools.
The following command will dump the LSASS memory to a .dmp file:
procdump.exe -accepteula -ma lsass.exe lsass.dmp
Credential Extraction
Once the lsass.dmp file has been gained and exfiltrated offline to an attack machine. Mimikatz or pypykatz can be used to extract the data.
After opening mimikatz on the attack machine, the following command should be used:
sekurlsa::minidump "lsass.dmp"
sekurlsa::logonpasswords
After opening pypykatz on the attack machine, the following command should be used:
pypykatz lsa minidump lsass.dmp
LSASS can be dumped remotely using lsassy, with local administrator credentials. lsassy is a project which ties together two other well known tools, impacket and pypykatz to gain data stored in LSASS .
Dump LSASS credentials with plaintext credentials
lsassy -d <domain> -u <user> -p <password> <target>
Dump LSASS credentials with pass-the-hash (NTLM)
lsassy -u <user> -H <NThash> <target>
Dump LSASS credentials with pass-the-ticket (Kerberos)
lsassy -k <target>
Requires an environment variable to be set, see