This post reviews common LSASS credential-dumping techniques—both remote and local—detailing tools and workflows attackers use to extract NT hashes, Kerberos tickets, cleartext passwords, and DPAPI keys from memory. It also covers parsing dumps with pypykatz, network-level detection for DRSUAPI/DCSync and anomalous SMB activity, and mitigations such as Credential Guard and LSASS Protected Process Light. #lsassy #nanodump #impacket #pypykatz #CredentialGuard
Keypoints
- LSASS memory contains NT hashes, Kerberos tickets, cleartext passwords, DPAPI master keys, and Kerberos session keys.
- Remote dumping tools include lsassy, NetExec (nxc) modules, nanodump, and impacket-secretsdump, often leveraging SMB, RPC, or DRSUAPI.
- Local dumping methods use Process Explorer, Task Manager, comsvcs.dll via rundll32, and ProcDump to create LSASS memory dumps.
- pypykatz parses LSASS dump files to recover credentials and Kerberos tickets for lateral movement and reuse.
- Defenses include enabling Credential Guard, configuring LSASS as a Protected Process Light (PPL), applying ASR rules, and monitoring for DCSync and unusual SMB/admin share activity.
Read More: https://www.hackingarticles.in/credential-dumping-local-security-authority-lsalsass-exe/