LSASS Memory

Adversaries may attempt to access credential material stored in the process memory of the Local Security SubSystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct Lateral Movement using Use Alternate Authentication Material.

As well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.

For example, on the target host use procdump:

· Procdump -ma lsass.exe lsass_dump

Locally, mimikatz can be run using:

· Ekurlsa::minidump lsassdump.dmp

· Sekurlsa::logonPasswords

Windows Security Support Provider(SSP) DLLs are loaded into LSASS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys:

· HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages

· HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages

An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when AddSecurityPackage Windows API function is called.

The following SSPs can be used to access credentials:

· Msv: Interactive logons, batch logons, and service logons are done through the MSV authentication package.

· Wdigest: The Digest Authentication protocol is designed for use with Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges.

· Kerberos: Preferred for mutual client-server domain authentication in Windows 2000 and later.

· CredSSP: Provides SSO and Network Level Authentication for Remote Desktop Services.


There are various methods for Dumping Credentials here but I will work with the most commonly known for Demonstration Purposes, will start with mimikatz.

Administrator Privileges are needed

When we have the mimikatz binary on Disk we can run it with the following commands and Dump Credentials. Down below we see a demonstration of a successful attack

Now will continue with another sample, ProcDump. A windows signed binary from SysinternalSuite will create a dump of the lsass process and have credentials stored on it.

Above we see the image of Procdump executing and dumping our process. We can see our file below dumped on the machine.

Now to extract credentials is simple we can use tools such as mimikatz or pypykatz on another machine and work with this file, here are a few demonstrations:

Above we see that we can change mimikatz to MINIDUMP and have it grab the credentials from the DUMP file. But what if we only have a Linux box?, another feasible option would be to use pypykatz the python version of mimikatz.

Above we can see a sample of pypykatz grabbing creds from a dump file. Let's proceed with MiniDumpW. This was designed to work specifically with rundll32 it requires 3 arguments where the third one is the should have everything wrapped in quotation marks as the 2 first are ignored.

One of the first thing we need to find first is the process of lsass.exe

Once located we use the command properly

And we see our dmp file created.

We can also use this with mimikatz offline or as well with pypykatz.

Last updated