Procdump & LSASS
Last updated
Last updated
procdump is a tool created and signed by microsoft for sysadmins and developers to dump a running process memory. It attaches to the process, reads its memory and write it into a file.
the syntax is like this:
The dump then needs to be downloaded on the attackerβs host, and traces on the remote host should be erased.
This technique is very practical since it does not generate much noise and only legitimate executable is used on the targeted hosts. pypykatz is usefull for situations when we want to run everything on a linux machine:
download pypykatz from repo or with pip3
open the dump file:
now look for the NT values in the out put. (windows hashed passwords) and copy them into a file we crack the hashes with hashcat then:
Once we retrieve this PID, we just use it with procdump
the dump process above can be dione automatically with spraycatz: