I would like to know what the minimum access is to be able to dump from the lsas
ID: 660351 • Letter: I
Question
I would like to know what the minimum access is to be able to dump from the lsass process on a Windows machine (any version) to try and grab LSA Secrets.
The reason I am asking is because I had thought it was restricted to admin and higher, but accross multiple penetration tests and different versions of windows, I have in the past been able to obtain LSA Secrets without getting local admin first, sometimes while logged in via RDP.
Now, is this because my user had admin access and I didn't realize it? Is that the only possibility? Or are earlier versions of Windows less restricted in allowing access to LSA Secrets?
Explanation / Answer
LSASS is a System level process, so any kind of access to it will require Admin level privileges. I would guess that your user had admin access and you didn't realize it. You can check your level of access through a batch script to confirm. If you still have access to the machine you RDP'ed in to.
To the best of my knowledge LSASS has always been a protected process. It's needed for user login to for distributing access tokens so it definitely wouldn't be a user level process.