While pivoting through a compromised Windows 10 workstation, you need to harvest credentials without touching disk with third-party tools. Which native technique best meets this goal by dumping the LSASS process memory for later offline extraction of clear-text and hashed passwords?
Execute "reg save HKLM\SAM C:\Temp\sam.hive" to export the SAM registry hive containing password hashes.
Use rundll32.exe to call the MiniDump function in comsvcs.dll against the LSASS PID and save the output to a writable directory.
Run "tasklist /svc" to enumerate LSASS threads and redirect the output to a file for later parsing.
Start a packet capture with "netsh trace start capture=yes" and analyze the resulting ETL file for credential data.
Invoking the MiniDump export function that already exists in the system library comsvcs.dll causes Windows to create a full memory dump of the specified process-in this case LSASS-without first copying any external binaries to disk. By running "rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump <lsass_PID> C:\Windows\Temp\lsass.dmp full", an attacker with adequate privileges obtains the dump, which can then be exfiltrated and parsed with tools such as Mimikatz to recover credentials. The other options either only list running services, capture network traffic, or export registry hives; none of them produce an LSASS memory dump containing live credentials.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is LSASS and why is its memory targeted for credential harvesting?
Open an interactive chat with Bash
What is the MiniDump function in comsvcs.dll, and how does it avoid detection?
Open an interactive chat with Bash
Why is Mimikatz used to parse LSASS memory dumps, and what information can be extracted?
Open an interactive chat with Bash
Certified Ethical Hacker (CEH)
System Hacking Phases and Attack Techniques
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .