Dumping Lsass Without Mimikatz

MiniDumpWriteDump API

See my notes about writing a simple custom process dumper using MiniDumpWriteDump API:

Dumping Lsass without Mimikatz with MiniDumpWriteDump

Task Manager

Create a minidump of the lsass.exe using task manager (must be running as administrator):

Swtich mimikatz context to the minidump:

Procdump

Procdump from sysinternal's could also be used to dump the process:

comsvcs.dll

Executing a native comsvcs.dll DLL found in Windows\system32 with rundll32:

ProcessDump.exe from Cisco Jabber

Sometimes Cisco Jabber (always?) comes with a nice utility called ProcessDump.exe that can be found in c:\program files (x86)\cisco systems\cisco jabber\x64\. We can use it to dump lsass process memory in Powershell like so:

screenshot by @em1rerdogan

References

LogoMiniDumpWriteDump via COM+ Services DLLmodexp
PreviousDumping Credentials from Lsass Process Memory with MimikatzNextDumping Lsass without Mimikatz with MiniDumpWriteDump

Last updated