Ways of extracting credentials from LSASS.exe ?

sil3nt_n1nja

Do you know any other ways using one can extract credentials from Windows' LSASS?

I am aware of:

1. Load and use mimikatz on a compromised machine
2. Use a c# implementation of mimikatz (to evade A/V)
3. Task Manager, right click on the lsass.exe process and "Create **** file". Then use mimikatz on your own machine against the created **** file
4. Use other tools to **** lsass process memory and again use mimikatz in your own machine

chrisone

I am in the middle of playing with Dumpert which uses this method sRDI 
https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/
https://github.com/outflanknl/Dumpert
https://silentbreaksecurity.com/srdi-shellcode-reflective-dll-injection/
https://github.com/monoxgas/sRDI

Dumpert/sRDI is a method of disabling the API hooks that AV/EDRs have on the OS. Start with the first article to get a proper understanding of the concepts and methods. 

This is a very good read too
https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6

sil3nt_n1nja

@chrisone this is extremely interesting. Thank you

UnixGuy

This was one of the labs in SANS GCFA training btw. Good stuff!

chrisone

UnixGuy said:

This was one of the labs in SANS GCFA training btw. Good stuff!

what specifically was the lab about? win event logs about processes accessing lsass?

UnixGuy

chrisone said:

UnixGuy said:

This was one of the labs in SANS GCFA training btw. Good stuff!

what specifically was the lab about? win event logs about processes accessing lsass?

I honestly can't remember it's been 3 years. The class takes you through a full compromise scenario during the 5 days, and one step included dumping passwords from LSASS via mimikatz