• LSASS is a critical service that plays a central role in credential management and the authentication processes in all Windows operating systems.
• Upon initial logon, LSASS will:
  • Cache credentials locally in memory
  • Create access tokens
  • Enforce security policies
  • Write to Windows security log

Dumping LSASS Process Memory

It would be wise for us first to create a copy of the contents of LSASS process memory via the generation of a memory dump

1. Task Manager Method

With access to an interactive graphical session with the target, we can use task manager to create a memory dump. This requires us to:

Open Task Manager > Select the Processes tab > Find & right click the Local Security Authority Process > Select Create dump file

• A file called lsass.DMP is created and saved in:

C:\\Users\\usersd\\AppData\\Local\\Temp

This is the file we will transfer to our attack host. We can use the file transfer method discussed in the Attacking SAM section of this module to transfer the dump file to our attack host.

2. Rundll32.exe & Comsvcs.dll Method

To dump LSASS process memory through a command-line utility called rundll32.exe. we may gain a shell session on a Windows host with only access to the command line. It is important to note that modern anti-virus tools recognize this method as malicious activity.

Before issuing the command to create the dump file, we must determine what process ID (PID) is assigned to lsass.exe. This can be done from cmd or PowerShell:

Finding LSASS PID in cmd

From cmd, we can issue the command tasklist /svc and find lsass.exe and its process ID in the PID field.

tasklist /svc