{
	"id": "e0378789-ad77-4fb8-9771-3b5001547dd3",
	"created_at": "2026-04-06T00:16:13.516944Z",
	"updated_at": "2026-04-10T13:12:57.014204Z",
	"deleted_at": null,
	"sha1_hash": "fea1056108f08a6ceece272302729522975eeb2e",
	"title": "LSASS Memory Dumps: New Method for Dumping LSASS [Part 2] | Deep Instinct",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 203785,
	"plain_text": "LSASS Memory Dumps: New Method for Dumping LSASS [Part\r\n2] | Deep Instinct\r\nBy Asaf GilboaSecurity Researcher\r\nPublished: 2021-02-16 · Archived: 2026-04-05 16:01:50 UTC\r\nIn a previous article, we detailed the numerous ways to dump LSASS memory for credentials extraction, in this\r\narticle we show a new way to dump LSASS without dropping any new tool on the endpoint.\r\nMITRE Technique: T1003.001\r\nTechnical Overview\r\nThere is a very neat way to cause WerFault.exe (Windows Error Reporting process that handles process crashes)\r\nto create a memory dump of lsass.exe, in a directory of your choice. The major advantage of this technique is that\r\nit does not cause lsass.exe to crash, and since WerFault.exe is used to create file dumps all the time (not just\r\nlsass.exe), this method provides the added advantage of going undetected.  WerFault.exe is a process known for\r\ndumping every crashing process, from an attacker standpoint this is appealing as their illicit credential extraction\r\nwill appear benign because from a defender’s viewpoint it’s within the realm of normal activity.\r\nThis method relies on a mechanism introduced in Windows 7 called Silent Process Exit, which provides the\r\nability to trigger specific actions for a monitored process in one of two scenarios; either the process terminates\r\nitself by calling ExitProcess(), or another process terminates it via the TerminateProcess() API.\r\nThere are multiple actions that can be configured to occur upon a silent process exit:\r\nLaunch a monitor process\r\nDisplay a pop-up\r\nCreate a dump file\r\nOption #1 can be used as a persistence mechanism. For the purpose of this study, we describe how to use option\r\n#3 for dumping lsass.\r\nTo set-up a process for silent exit monitoring, a few registry settings must be set:\r\n1. 1. The GlobalFlag for the process’ Image File Execution Options must be set to include the flag\r\nFLG_MONITOR_SILENT_PROCESS_EXIT (0x200)\r\n2. SilentProcessExit must be set by either:\r\na. Global settings, under the key:\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\r\nhttps://www.deepinstinct.com/blog/lsass-memory-dumps-are-stealthier-than-ever-before-part-2\r\nPage 1 of 5\n\nb. Application-specific settings, under the key:\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\r\nNT\\CurrentVersion\\SilentProcessExit\\ProcessName\r\nThe SilentProcessExit settings are set by registry values, for that purpose the interesting ones are the following:\r\nReportingMode (REG_DWORD) – Bitwise OR of the following flags:\r\nLAUNCH_MONITORPROCESS (0x1) – Launch a monitor process\r\nLOCAL_DUMP (0x2) – Create a dump file for the process that caused the termination and the process that\r\nwas terminated\r\nNOTIFICATION (0x4) – Display pop-up notification\r\nLocalDumpFolder (REG_SZ) – The directory where the dump files will be created. Default location is\r\n%TEMP%\\Silent Process Exit.\r\nDumpType – Specifies the type of dump file (Micro, Mini, Heap or Custom) according to the\r\nMINIDUMP_TYPE enum. Full minidump is a value of MiniDumpWithFullMemory (0x2).\r\nSo, what would happen if the SilentProcessExit registry settings are set so that LSASS.exe will dump itself, and\r\nthen either lsass.exe is killed or the computer is shut down?\r\nTo answer this, we use taskkill to terminate lsass. This brings up this message because Windows really doesn’t\r\nlike to have lsass.exe shut down:\r\nA warning like this is problematic for an endpoint user to see during an attempt to gather credentials, but it does\r\nprovide a new directory under C:\\temp, which contains the full memory dump of lsass.\r\nNice!\r\nA dump of taskkill.exe is also obtained which normally isn’t accessible if the computer had been shut down,\r\ninstead of terminating lsass.exe. This happened because the Silent Process Exit mechanism also causes the process\r\nthat initiated the termination to be dumped as well.\r\nhttps://www.deepinstinct.com/blog/lsass-memory-dumps-are-stealthier-than-ever-before-part-2\r\nPage 2 of 5\n\nThe question we now need to ask ourselves is – how is the process dumped? Thanks to Hexacorn's blog, we know\nthat when a process terminates it calls the RtlReportSilentProcessExit() API from ntdll.dll, which will\ncommunicate to the Windows Error Reporting service (WerSvc under WerSvcGroup) that the process is\nperforming a silent exit. The WER service will then launch WerFault.exe which will do the dumping of the exiting\nprocess. The interesting thing to notice is that calling this API does not cause the process to exit. This prompted\nus to run this process on lsass.exe, to get the file dump, but without terminating lsass.\nHere is the function definition of RtlReportSilentProcessExit():NTSTATUS(NTAPI* _In_HANDLE Proc _In_NTSTATUS ExitS\n );\nBut what if we supply a ProcessHandle of LSASS.exe from OUTSIDE of LSASS?\nCalling RtlReportSilentProcessExit this way would require a handle to lsass.exe with PROCESS_VM_READ\npermissions and also need the SeDebugPrivilege privilege, otherwise, the dump file will be created but without\nany content. In addition, an x64 process is required to open a handle to an x64 lsass process.\nUsing a program we have wrote that does just that, we can see here the dump file created:\nThat’s great!\nNow, we can delete the unnecessary dump of our own process and send the lsass dump to our attacker server to\nhave the credentials extracted.\nBut can we go even further and force lsass.exe to create a dump of itself? Using CreateRemoteThread on\nlsass.exe, we were able to cause it to run RtlReportSilentProcessExit:\nhttps://www.deepinstinct.com/blog/lsass-memory-dumps-are-stealthier-than-ever-before-part-2\nPage 3 of 5\n\nVoila, Lsass.exe’s own dump file!\r\nFrom an EDR standpoint, it will appear as though lsass.exe requested a dump of itself from WER. Since WER is\r\nthe mechanism in Windows which is responsible for creating dump files anyway, it is likely to be whitelisted as a\r\nprocess that creates a dump file of lsass.exe in order to reduce false-positives.\r\nThe code to perform both of these methods can be found in our GitHub repository.\r\nSuggested Solutions\r\nIn the following section, we detail the measures that can be taken to detect dumping of the lsass.exe process.\r\nMonitoring Registry\r\nSet a rule of registry value creation of GlobalFlag:\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution\r\nOptions\\lsass.exe\r\nGlobalFlag    REG_DWORD    0x200\r\nNote that GlobalFlag is a bitwise OR possibly numerous flags.\r\nThe following registry key should also be monitored for creation and for changes:\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\r\nNT\\CurrentVersion\\SilentProcessExit\\lsass.exe\r\nMonitor Files\r\nSet a rule for file creation for anything with the following pattern of file name:\r\n “lsass*.dmp”\r\nRunAsPPL\r\nWindows enables the ability to launch the lsass.exe process as a Process Protected Light (PPL), which prevents\r\nany non-PPL process from using OpenProcess() to access lsass.exe. This neutralizes all methods described in this\r\narticle (besides the full memory dump methods). The following registry value is required to be set:\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\r\nhttps://www.deepinstinct.com/blog/lsass-memory-dumps-are-stealthier-than-ever-before-part-2\r\nPage 4 of 5\n\nRunAsPPL       REG_DWORD 0x1\r\nThe downside of this method is that setting lsass.exe prevents any third-party DLLs from loading into it, including\r\nknown and benign authentication packages. If your organization utilizes some smart-card solution, for example,\r\nthis is not an option.\r\nDue to the obscurity of this attack vector available AV and EDR solutions are not going to have these detection\r\nand mitigation configurations in place, rather they will need to be manually configured. In soon-to-be-delivered\r\nupcoming versions, Deep Instinct’s customers can expect to have automatic protection from this technique within\r\nthe credential dumping heuristic.\r\nSummary\r\nThe numerous ways of dumping LSASS memory give attackers a range of options to stay undetected by antivirus\r\nproducts and EDRs. This new method that we have introduced to get a process dump of LSASS to disk, hasn’t\r\nbeen utilized before while the use of WER has the added benefit of making the illicit memory extraction appear\r\nbenign.  This creates a ripe opportunity for hackers, with the possibility of many security environments having the\r\nfile dump process whitelisted.\r\nSource: https://www.deepinstinct.com/blog/lsass-memory-dumps-are-stealthier-than-ever-before-part-2\r\nhttps://www.deepinstinct.com/blog/lsass-memory-dumps-are-stealthier-than-ever-before-part-2\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.deepinstinct.com/blog/lsass-memory-dumps-are-stealthier-than-ever-before-part-2"
	],
	"report_names": [
		"lsass-memory-dumps-are-stealthier-than-ever-before-part-2"
	],
	"threat_actors": [],
	"ts_created_at": 1775434573,
	"ts_updated_at": 1775826777,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fea1056108f08a6ceece272302729522975eeb2e.pdf",
		"text": "https://archive.orkl.eu/fea1056108f08a6ceece272302729522975eeb2e.txt",
		"img": "https://archive.orkl.eu/fea1056108f08a6ceece272302729522975eeb2e.jpg"
	}
}