academy content: pentester/Password attacks/attaking lsass
I’ve tried task manager> Local Security Authority Process>Create Dump File
and it doesn’t work… ( on my own test windows )
Window 10 VM;
``
| Edition | Windows 10 Pro |
|---|---|
| Version | 22H2 |
| Installed on | 25/01/2022 |
| OS build | 19045.4170 |
| Experience | Windows Feature Experience Pack 1000.19054.1000.0 |
A message appears saying file successfully created and stored. Despite being a dialog box with an ok button it disappears on its own without any interaction and too quickly to read - I had to screen record it so I could play it back, pause and read the location.
It says it saved it as C:\Users<user>\AppData\Local\Temp\lsass.DMP
but the file isn’t there when I look in file explorer ( with “show hidden” ticked )
``
cmd.exe as administrator:
c:\Users\<user>\AppData\Local\Temp>Dir /A:H *.DMP
Volume in drive C has no label.
Volume Serial Number is XXXXXXX
Directory of c:\Users\<user>\AppData\Local\Temp
File Not Found
Can anyone shed light on this ?
EDIT
OK, found it. You need to turn off Defender real time protection first - then it works as described. This allows you to use the rundll32 C:\windows\system32\comsvcs.dll method too.