Bypass LSASS Dump protection with RAM Dump - Pentestmag

Bypass LSASS Dump protection with RAM Dump


Bypass LSASS Dump protection with RAM Dump

by João Paulo de Andrade Filho

There is nothing more frustrating than an Antivirus blocking the execution of our tools and/or preventing certain actions to occur, like spawning a shell or blocking our attempts to dump the lsass process.

Modern protections such as EDR will surely block these types of attacks by hooking some API's and/or monitoring software behavior based on user actions. There are some bypasses that an operator can try (E.g Hell's Gate) but instead of coding a complex piece of software, it's possible to try a simpler approach.

Here it's shown a tool that I have been using when the LSASS Dump fails or gets blocked: Magnet RAM Capture (There is no need to install).

Magnet RAM Capture is a forensic tool to dump volatile memory. It will dump ALL the memory to a file, afterwards it's possible to grab the contents of this dump such as registry hives, passwords, processes, windows info and so on.

The tool will output a raw file, to analyse it, I have been using volatility3, version 2 also works, but there are some Windows builds that I could not make it work, so I stick with version 3.

Não foi fornecido texto alternativo para esta imagem

To use it, just execute and click in START, this tool is not considered malicious because is a trusted tool used in legit forensic activities.

Não foi fornecido texto alternativo para esta imagem

In this demonstration, I am using an Windows 10 fully updated with Kaspersky Endpoint Protection fully active and an industry EDR with all the modules activated.

Inspecting windows info

python3 -f /home/kali/Documents/memory_analysis.raw
Não foi fornecido texto alternativo para esta imagem

Grabbing the hashes with volatility

python3 -f /home/kali/Documents/memory_analysis.raw hashdump

Não foi fornecido texto alternativo para esta imagem

Volatility offers alot of options to analyse the dump:

  • Grab processes
  • Network Connections
  • Cache Dump (Domain Credentials)
  • Dump Processes

I recommend you to read the documentation and choose the options that fits your needs during the engagement.


The only drawback about this tool is the size of the raw, it will match the size of the RAM, so if you have a computer with 32GB of ram, the dump file will be 32 GB in size, it can be really difficult to download the file or put it somewhere to analyze, but it all depends on the case and situation.

My website:

Originally published at:

September 26, 2022
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Oldest Most Voted
Inline Feedbacks
View all comments
run 3
3 months ago

This is something I’ve discussed with a friend. Run 3 is an addicting infinite runner game set in a futuristic universe in which you control a self-falling ball on a 3D track, combining old and new gameplay elements. A fast-paced game with some bizarre high-tech elements.

5 months ago

Your comments on the forum are very reasonable, hope you add comments to the run 3 website for us to improve further, and thank you for your comments.

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013