Procdump & LSASS
Procdump
procdump is a tool created and signed by microsoft for sysadmins and developers to dump a running process memory. It attaches to the process, reads its memory and write it into a file.
the syntax is like this:
Dumping LSASS from Memory
itβs possible to dump lsass memory on a host, download its dump locally and extract the credentials using Mimikatz.
Procdump can be used to dump lsass, since it is considered as legitimate thus it will not be considered as a malware.To do so, send procdump to the server eather by a meterpreter session or nc or smbclient.py from the impacket suit.
try to upload it to windows/temp directory to avoid attention Once uploaded, procdump needs to be executed in order to create this lsass dump.
The dump then needs to be downloaded on the attackerβs host, and traces on the remote host should be erased.
Credentials can be retrieved with Mimikatz: the first line loads the memory dump, and the second one retrieves the secrets.but we need a windows system for that.
Pypykatz
This technique is very practical since it does not generate much noise and only legitimate executable is used on the targeted hosts. pypykatz is usefull for situations when we want to run everything on a linux machine:
download pypykatz from repo or with pip3
open the dump file:
now look for the NT values in the out put. (windows hashed passwords) and copy them into a file we crack the hashes with hashcat then:
dumping lsass is considered as suspicious activity by Windows Defender. When the dumping process is finished, Windows Defender removes the dump after a few seconds. If we have very good connectivity and the dump is not too big, it is possible to download the dump before itβs being deleted.by providing it with lsass PID, Windows Defender no longer complains.We just have to find lsass PID, using the command tasklist for example.
Once we retrieve this PID, we just use it with procdump
the dump process above can be dione automatically with spraycatz:
Last updated
