Dumping Lsass

by Vince
in Blog
Hits: 769

I gave a talk recently at BSides Iowa and now that my talk is finished I wanted to get back to blogging.  There were a number of topics in my talk and a number of them have yet to be written about.  One of those topics is about the recent changes in Lsass.  Basically, Microsoft has restricted our ability to use Mimikatz to dump Lsass. 

What is Lsass? 

Local Security Authority Subsystem Service (Lsass.exe) is the process on an Active Directory domain controller. It's responsible for providing Active Directory database lookups, authentication, and replication.

To summarize that into something meaningful, Lsass contains usernames, passwords, and hashes. 

Pulling a section out of my talk, I take over a system and when I look at the sessions, I notice the administrator had recently disconnected:



Prior to recent changes from Microsoft, we could launch Mimikatz and dump Lsass. 

When we pull up Task Manager, we find the process:



Because we have local admin access to this system, we don't need Mimikatz to dump the process, Task Manager will do that for us:



When we dump the file, Task Manager saves it to a temp folder:



Almost immediately, Defender alerts on a suspicious behavior:



Defender, almost ready for primetime but not quite.  I moved quickly enough to copy the dump file to the desktop.  Moments after that, Defender deleted the dump file in the temp folder but NOT on the desktop.



Because I am local admin, I disabled Defender.  



Now we can use Mimikatz to extract data from the dump file:



We dump the password hash for the administrator account as well as acquiring clear text passwords for other users which I'm not showing in the above image.  From here, we can attempt to crack the hash or we can use CrackMapExec to pass the hash.  The latter being my approach which lead to a full domain compromise.