Procdump & LSASS

Procdump

procdump is a tool created and signed by microsoft for sysadmins and developers to dump a running process memory. It attaches to the process, reads its memory and write it into a file.

the syntax is like this:

procdump --accepteula -ma <processus> processus_dump.dmp

Dumping LSASS from Memory

it’s possible to dump lsass memory on a host, download its dump locally and extract the credentials using Mimikatz.

Procdump can be used to dump lsass, since it is considered as legitimate thus it will not be considered as a malware.To do so, send procdump to the server eather by a meterpreter session or nc or smbclient.py from the impacket suit.

try to upload it to windows/temp directory to avoid attention Once uploaded, procdump needs to be executed in order to create this lsass dump.

procdump.exe -accepteula -ma lsass C:\\Windows\\Temp\\lsass.dmp

The dump then needs to be downloaded on the attacker’s host, and traces on the remote host should be erased.

Credentials can be retrieved with Mimikatz: the first line loads the memory dump, and the second one retrieves the secrets.but we need a windows system for that.

Pypykatz

This technique is very practical since it does not generate much noise and only legitimate executable is used on the targeted hosts. pypykatz is usefull for situations when we want to run everything on a linux machine:

download pypykatz from repo or with pip3

pip3 install pypykatz
pip3 install minidump minikerberos aiowinreg msldap winsspi

open the dump file:

pypykatz lsa minidump lsass.dmp

now look for the NT values in the out put. (windows hashed passwords) and copy them into a file we crack the hashes with hashcat then:

hashcat -m 1000 -a 0 -o cracked.txt hash.txt /usr/share/wordlists/rockyou.txt --status

dumping lsass is considered as suspicious activity by Windows Defender. When the dumping process is finished, Windows Defender removes the dump after a few seconds. If we have very good connectivity and the dump is not too big, it is possible to download the dump before it’s being deleted.by providing it with lsass PID, Windows Defender no longer complains.We just have to find lsass PID, using the command tasklist for example.

tasklist /fi "imagename eq lsass.exe"

Once we retrieve this PID, we just use it with procdump

procdump -accepteula -ma 640 lsass.dmp

the dump process above can be dione automatically with spraycatz:

PreviousMeterpreter NextAD User Comments

Last updated 2 years ago