Lsass on Windows 11

[TheExample]

Hello everyone,

What is the best way to dump the LSASS process on Windows 11 these days?
Are there any updated methods or tools that still work reliably, considering all the new security features and protections in Windows 11?
Also, do you know if there are any specific bypasses or tweaks needed for things like Credential Guard or other built-in defenses?

For example, we managed to get an LSASS dump, but when parsing it, all the credential lines are empty, like this:

Orphaned credentials ==
== WDIGEST [98e22fbc]==
username test
domainname Aa
Password: None
password (hex)

== WDIGEST [98e1ccfd]==
username SRVRDS$
domainname Aa
Password: None
password (hex)

== WDIGEST [98e1ccb4]==
username SRVRDS$
domainname Aa
Password: None
password (hex)


WDigest is enabled on the windows

Does anyone know what could be causing this, or how to get actual credentials in this scenario?
Any advice or updated techniques would be greatly appreciated!

 

[Knight]

interested

 

[TheExample]

interested

 

[USA_Straday]

отключаешь PPL, Defender Cred Guard, Core Isolation, Memory Integrity, LSA Protection, ребутаешь тачку и ждёшь новых кредов

 

[voldemort]

отключаешь PPL, Defender Cred Guard, Core Isolation, Memory Integrity, LSA Protection, ребутаешь тачку и ждёшь новых кредов

Won't work bro the only way to remove lssas.exe protection is through the kernel, so you have only one option and it is to use BYOVD also you shouldn't directly access lssas.exe from any other process it is very suspicious what you should do instead is to copy the exact process with NtCreateProcessEx a good article on how to use this undocumented Win API function here:

Windows Process CloningâââHow to dump a process without dumping the process

That title isnât an exagerration or wordplay. There is a way to dump a process without opening a read handle to it. Read on.

captain-woof.medium.com

and then you remove the protection from from the cloned lssas.exe and dump it to the disk.