# Dump LSASS when Debug Privilege is disabled

## SeDebugPrivilege

SeDebugPrivilege is managed by a Local GPO Policy on **Group Policy Management Editor → Windows Settings → Security Settings → Local Policies → User Rights Assignment → Debug programs → Define these policy settings**.  There you can configure the users/groups that can debug programs. By default Local Administrators are configured.

&#x20;<img src="/files/UorzHD2v6cPAlDbi74O8" alt="" data-size="original">

This Privilege is needed when a program crashes and a memory dump needs to be created for the support to troubleshoot.

I found this (<https://gytpol.com/how-a-simple-group-policy-setting-can-prevent-a-privilege-escalation-from-becoming-a-lateral-movement/>) article that said if we minimize the privileges on LSASS, we can prevent credential dumping. Let's see.

## Dump LSASS as Local Administrator with Domain Admins assigned privileges

A domain administrator can create a GPO that only allows Domain Admins to debug programs.

<img src="/files/xmNKIoxzvyqJO7awcH1I" alt="" data-size="original">

This way, even with a Local Administrator Account and High Integrity, creating dumps will fail.

<img src="/files/naO2u7Vz2tRAnLvbhtPy" alt="" data-size="original">

Opening the LSASS Process Permissions, we can see that SYSTEM and Local Administrators only have Read and Execute Permissions, which are not enough to dump the memory:

![](/files/6dmYmTTFDZVDaIHpZ8Wu)![](/files/UWx5ExOG0cD6qbkp8cRJ)

But, TrustedInstaller has Full Control over the process:

![](/files/GXLRIOUU6XINrFBJaKQy)

### TrustedInstaller

The TrustedInstaller (<https://softwarekeep.com/help-center/what-is-trustedinstaller-and-should-i-remove-it-from-windows-10>) is a Windows Modules Installer component, responsible for helping you install, modify and remove updates and other Windows components. It’s essentially a built-in, hidden “user account” in Windows 10, as well as Windows 8 and Windows 7.

To interact with TrustedInstaller as a Local Administrator, we can either use its session token (using something like Incognito), or run a process on TrustedInstaller Service.

![](/files/qNfYfZ0uWjoit2LMVY4K)

Running whoami as TrustedInstaller with the output added to a file will result in the creation of the file but no output. Meaning we executed a command with TrustedInstaller permissions:

<img src="/files/G2dY0CCqhRikamotuaSy" alt="" data-size="original">

### LSASS Dump

To dump LSASS, we can use something like Procmon (but you can use anything you want):

<img src="/files/kCSecqFVXGXELad5ASrY" alt="" data-size="original">

As we can see, it did manage to dump the LSASS memory using procdump as TrustedInstaller. (Something to notice, procdump is flaged as malicious by Windows Defender, so prior to dumping the memory, either try to make it undetectable or use another method)

Finally, we dump the credentials with mimikatz:

<img src="/files/1A8pbJpm0mcG7SrIY4ta" alt="" data-size="original">

## Dump LSASS as Local Administrator with no user assigned to debug programs

Another thing an Administrator can do, is remove all the users from debugging the programs. Using this, they prevent admins from creating memory dumps, but also prevent hackers from dumping LSASS.

Or do they?

We remove every user/group from the GPO which allows Program Debugging and retry everything:

<img src="/files/8CZ4KPpjTQ6Q0lj6olEf" alt="" data-size="original">

Again, TrustedInstaller has full access to the process:

<img src="/files/UmLirEnpM9aJ0n4ghTK0" alt="" data-size="original">

We try again to do the same thing:

<img src="/files/P3esCx6GczERNXSWM0pW" alt="" data-size="original">

As we can see, we can dump LSASS and credentials dump again:

<img src="/files/4HmmehQln7JVTRDMe1Kc" alt="" data-size="original">

So, not assigning anyone did not make any change.

## Removing Full Control from TrustedInstaller

We remove all privileges from TrustedInstaller on LSASS.

![](/files/rj9W6VYIHWxLigxghQR1)

We can still dump LSASS:

![](/files/We8WIHcTG7vIWVCzWdhz)

Needless to say, the credentials too:

![](/files/Z2QUhFn0bLGLz2lcVOSe)

## Closing Remarks

In the end, we managed to dump LSASS even with minimized permissions on it. Of course, all of these examples need Local Admin Rights, but you get the idea.

As for detection, I would say EDR catches TrustedInstaller modifications, so monitoring them is a good start. Another thing you can do is monitor TrustedInstaller's binary and commands. Adversaries can change the name ofc, but again, that's a good start.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://blog.pepperclipp.com/pepperclipp-public/other-articles/dump-lsass-when-debug-privilege-is-disabled.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.