LSASS Dump has become one of the goals that most penetration testers want to achieve on a machine. And for a good reason. LSASS contains a lot of credentials, from NTLM Hashes, to Cached Hashes, to even certificates.
For an attacker to be able to create a memory dump of LSASS, they need to have Local Administrator Rights and SeDebugPrivilege, which allows for the dumps to be created. What happens when an organization has prevented Local Administrators from having SeDebugPrivilege privilege? Can an attacker do anything?
In this talk, we will be looking at how TrustedInstaller's process acl can lead to dumping LSASS, even with an identity that is not allowed to. We will be looking at ways to achieve TrustedInstaller access, as well as ways to dump LSASS.