# Recovery lsass.dmp from Defender Quarantine

During forensic investigations or red team operations, it's common for critical artifacts — such as memory dumps or credential caches — to be flagged and quarantined by **Microsoft Defender**. This is especially true for **LSASS process dumps**, which are often encrypted and stored under randomized names, making recovery a challenge.

This tool allows you to **decrypt files quarantined by Microsoft Defender**, restoring them to their original state for analysis.

#### 🧪 Use Case

Imagine you're performing a **credential dumping assessment** in an Active Directory environment. You successfully dump the LSASS memory to `lsass.dmp`, but **Windows Defender instantly quarantines it**, encrypting and renaming the file.

Even if you recover the quarantined file manually, it's **unreadable without decryption**.

With this decryptor, you can restore the original `lsass.dmp` and proceed with offline analysis, such as:

* Hash extraction
* Password cracking
* Memory analysis (e.g. with tools like pypykatz)

```
pypykatz lsa minidump lsass_decoded.bin
```

#### ✨ Features

* 🔑 Implements **RC4 decryption** with Microsoft’s custom key scheduling.
* 📦 Recovers both the **original file** and its **metadata**.
* ⏱️ Displays **decryption duration** for performance tracking.
* 💡 Lightweight, **no external dependencies**, and **cross-platform friendly**.

🔗 GitHub: <https://lnkd.in/dP4xjHEF>\
\
You can combine this tool with:\
\
🔗 GitHub: <https://lnkd.in/dsv8VDDh>