Ways of extracting credentials from LSASS.exe ?
sil3nt_n1nja
Member Posts: 9 ■■■□□□□□□□
Do you know any other ways using one can extract credentials from Windows' LSASS?
I am aware of:
I am aware of:
- Load and use mimikatz on a compromised machine
- Use a c# implementation of mimikatz (to evade A/V)
- Task Manager, right click on the lsass.exe process and "Create **** file". Then use mimikatz on your own machine against the created **** file
- Use other tools to **** lsass process memory and again use mimikatz in your own machine
Comments
-
chrisone Member Posts: 2,278 ■■■■■■■■■□I am in the middle of playing with Dumpert which uses this method sRDI
https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/
https://github.com/outflanknl/Dumpert
https://silentbreaksecurity.com/srdi-shellcode-reflective-dll-injection/
https://github.com/monoxgas/sRDI
Dumpert/sRDI is a method of disabling the API hooks that AV/EDRs have on the OS. Start with the first article to get a proper understanding of the concepts and methods.
This is a very good read too
https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6
Certs: CISSP, EnCE, OSCP, CRTP, eCTHPv2, eCPPT, eCIR, LFCS, CEH, SPLK-1002, SC-200, SC-300, AZ-900, AZ-500, VHL:Advanced+
2023 Cert Goals: SC-100, eCPTX -
chrisone Member Posts: 2,278 ■■■■■■■■■□UnixGuy said:This was one of the labs in SANS GCFA training btw. Good stuff!Certs: CISSP, EnCE, OSCP, CRTP, eCTHPv2, eCPPT, eCIR, LFCS, CEH, SPLK-1002, SC-200, SC-300, AZ-900, AZ-500, VHL:Advanced+
2023 Cert Goals: SC-100, eCPTX -
UnixGuy Mod Posts: 4,570 Modchrisone said:UnixGuy said:This was one of the labs in SANS GCFA training btw. Good stuff!