Procdump & LSASS
Last updated
Last updated
procdump is a tool created and signed by microsoft for sysadmins and developers to dump a running process memory. It attaches to the process, reads its memory and write it into a file.
the syntax is like this:
Procdump can be used to dump lsass, since it is considered as legitimate thus it will not be considered as a malware.To do so, send procdump to the server eather by a meterpreter session or nc or smbclient.py from the impacket suit.
The dump then needs to be downloaded on the attackerβs host, and traces on the remote host should be erased.
This technique is very practical since it does not generate much noise and only legitimate executable is used on the targeted hosts. pypykatz is usefull for situations when we want to run everything on a linux machine:
download pypykatz from repo or with pip3
open the dump file:
now look for the NT values in the out put. (windows hashed passwords) and copy them into a file we crack the hashes with hashcat then:
dumping lsass is considered as suspicious activity by Windows Defender. When the dumping process is finished, Windows Defender removes the dump after a few seconds. If we have very good connectivity and the dump is not too big, it is possible to download the dump before itβs being deleted.by providing it with lsass PID, Windows Defender no longer complains.We just have to find lsass PID, using the command tasklist for example.
Once we retrieve this PID, we just use it with procdump
the dump process above can be dione automatically with spraycatz:
