https://github.com/deepinstinct/Lsass-Shtinkering

https://github.com/deepinstinct/Lsass-Shtinkering

Last synced: 11 months ago
JSON representation

• Host: GitHub
• URL: https://github.com/deepinstinct/Lsass-Shtinkering
• Owner: deepinstinct
• Created: 2022-08-13T22:07:38.000Z (over 3 years ago)
• Default Branch: main
• Last Pushed: 2023-01-19T15:13:44.000Z (about 3 years ago)
• Last Synced: 2024-04-13T02:56:47.471Z (about 2 years ago)
• Language: C++
• Size: 11.7 KB
• Stars: 368
• Watchers: 5
• Forks: 41
• Open Issues: 3
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

• awesome-csirt - Lsass Shtinkering

README

          
# Lsass Shtinkering

New method of dumping LSASS by abusing the Windows Error Reporting service.

It sends a message to the service with the ALPC protocol to report an exception on LSASS.

This report will cause the service to dump the memory of LSASS.

## Prerequisites

The registry value "DumpType" under "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps" should be set to 2.

## Credits

* [Asaf Gilboa](https://twitter.com/asaf_gilboa)

## References

- https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf